The UK’s National Cyber Security Centre has reported a critical vulnerability to Microsoft which could potentially be used in a global malware attack akin to the WannaCry ransomware attacks of 2017.
The flaw is in Remote Desktop Services and is a remote code execution vulnerability that requires a low level of skill to exploit.
The vulnerability is wormable, pre-authentication, and requires no user interaction. A remote attacker could exploit the flaw by sending specially crafted requests to Remote Desktop Services via RDP. Once exploited, an attacker would have access to the targeted device and could obtain, alter, or delete data, install malware and other programs, and create new user accounts with full admin privileges. If the exploit was incorporated into malware, it would be possible for the malware to propagate across the entire network and infect all vulnerable devices.
On May 2019 Patch Tuesday, Microsoft issued a patch to correct the flaw. The patch changes the way Remote Desktop Services handles connection requests. Microsoft has not observed any attacks exploiting the flaw to date, although the company anticipates an exploit will be developed and incorporated into malware which will be used to attack systems that have not been patched.
Since this is a wormable vulnerability, it will be of great interest to hackers. It is probable that an exploit for the vulnerability will be developed and used in attacks in just a few days now the patch has been released. Consequently, it is imperative for the patch to be applied as soon as possible to prevent the flaw from being exploited.
The vulnerability, CVE-2019-0708, is present in older Windows versions. Windows 8 and Windows 10 are unaffected. Operating systems containing the vulnerability are:
- Windows Server 2008 R2
- Windows Server 2008
- Windows 7
- Windows XP
- Windows 2003
As was the case with the vulnerability that was exploited by WannaCry ransomware, Microsoft has also released patches for Windows 2003 and Windows XP, even though both operating systems are no longer supported.
If vulnerable operating systems are used and the patch cannot be applied promptly, there is a workaround which will provide some protection against attacks.
The first step is to enable Network Level Authentication (NLA) on all systems running Windows 7, Windows Server 2008, and Windows Server 2008 R2. This will prevent exploitation of the flaw by unauthorized individuals. With NLA enabled, an attacker would need to authenticate to Remote Desktop Services on a targeted system using a valid account. TCP port 3389 should also be blocked on the enterprise firewall.
The workaround should not be considered as an alternative to patching. The patch should still be applied as soon as possible even if the workaround is implemented.
If Remote Desktop Services or Remote Desktop protocol are not used, both should be disabled as a security best practice.