CVE-2019-0708: Wormable critical RDP vulnerability in older Windows versions

On May 14, 2019, Microsoft released patches for a critical vulnerability (CVE-2019-0708) in Remote Desktop Services/Terminal Services affecting the following versions of Windows:

  • Windows XP (all)
  • Windows 2003 (all)
  • Windows 7 SP 1 (32 and 64 bit)
  • Windows Server 2008:
    • 32 bit SP2
    • 32 bit SP2 (Server Core Installation)
    • Itanium-Based SP2
    • 64 bit SP2
    • 64 bit SP2 (Server Core Installation
  • Windows Server 2008 R2:
    • R2 for Itanium-Based Systems SP1
    • R2 for 64 bit Systems SP1
    • R2 for 64 bit Systems SP1 (Server Core Installation)

This vulnerability utilizes a specially-crafted packet to execute arbitrary code on the victim system and does not require successful authentication. It requires only that the system be vulnerable and reachable via RDP from the attack platform.

Importantly, this vulnerability can be exploited in such a fashion as to worm across a network(s), using recently infected systems to infect more and more systems until all reachable vulnerable systems have been infected.

According to Microsoft, the vulnerability has yet to be either disclosed or exploited, and no attacks exploiting this vulnerability have been seen in the wild at the time of this writing. Still, given the potential for worming activity, an abundance of caution is recommended, specifically patching vulnerable operating systems. In addition, inbound RDP at the edge of your network should be restricted as much as possible, preferably to only allow specific authorized sources.

If you are using any of the affected OS versions, please follow the appropriate mitigation steps below:

  • In Support Windows OSes (Windows 7, Windows Server 2008): Use the provided patches to patch your OS.
  • Out of Support Windows OSes (Windows XP, Windows 2003): Use the provided patches to patch your OS (and seriously consider upgrading). Microsoft does not normally give patches for out-of-support OSes but made an exception in this case because of the criticality of the vulnerability.

*** This is a Security Bloggers Network syndicated blog from Swimlane authored by Nick Tausek. Read the original post at: