www.belgium.be Logo of the federal government

Windows RDP Remote Code Execution Vulnerability

Reference: 
Advisory #2019-013
Version: 
1.0
Affected software: 
Windows 7
Windows 2008 & 2008 R2
Windows XP
Windows 2003
Type: 
Remote Code Execution
CVE/CVSS: 

CVE-2019-0708 - CVE Score: 9.8

Sources

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Risks

Complete compromise of system availability, confidentiality of system data, and/or system integrity, with a strong possibility of compromised systems becoming part of a wider attack vector similar to what was seen in 2017 in the case of Wannacry.

Description

An unauthenticated attacker can remotely execute run arbitrary code via maliciously crafted input leading to exploitation of vulnerabilities in Microsoft Windows RDP service. The fact that Microsoft has chosen to provide patches for Windows 2003 and Windows XP demonstrates how critical this vulnerability is and the urgency of system administrators applying the necessary patches.

Newer versions of Windows (starting from Windows 8 and Server 2012) are not impacted.

Recommended Actions

CERT.be recommends administrators update their Microsoft Windows systems with the latest available patches as soon as possible:

•    Windows 7 & Server 2008(R2) : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

•    Windows XP and 2003 : https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708

 

If the patching cannot be immediately, you can apply several mitigations :

•    Disable RDP if not used (best practice).

•    Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2. This would require an attacker to compromise a valid system account in order to exploit these vulnerabilities.

•    Blocking TCP port 3389 at the enterprise perimeter firewall will mitigate remote exploitation. (Note that this provides no mitigation for exploitation from within the enterprise network.)

•    Configure host-based firewall policies to constrain RDP connections to a limited set of IP addresses to allow only system administrators to connect