On May 14, 2019, Microsoft released a patch for CVE-2019-0708, a remote code execution vulnerability in Remote Desktop Services (RDS)– formerly known as Terminal Services – that affects some older versions of Windows. Exploit code is not yet available, but Microsoft expects this will change quickly.
This vulnerability allows an attacker to compromise a system without authentication or user interaction. This enables malware to be self-replicating or wormable. This vulnerability can be used to build malware similar to WannaCry which spread globally in 2017.
The vulnerability is limited to the platforms listed below. Windows 8, Windows 10 and later versions are not affected by this vulnerability.
Using network sensors UISO has identified systems actively running Remote Desktop Protocol (RDP) over the last 30 days. UIPO has been contacting individuals responsible for those systems to ensure that they are either a version of Windows already invulnerable from this threat or patched or mitigated accordingly.
While RDP port 3389 is blocked at the border routers, many users run RDP over alternative ports. These systems should be reviewed carefully to ensure they are invulnerable to this threat and users should consider restricting access to trusted IPs.
In-support systems should apply patches for this update immediately if automatic patching is disabled.
Out-of-support systems such as Windows 2003 and Windows XP should be upgraded to a supported version. However, Microsoft has made patches for out-of-support versions. Those patches can be found in KB4500705.
If such systems are not capable of being upgraded at this time, then one of the following should be done:
- Disable Remote Desktop Services on the system.
- If RDS needs to be remain enabled, ensure that firewall rules allow access only from trusted hosts to the RDS port.
- Remove the system from general access from the IU network.
Enabling Network Level Authentication (NLA) will prevent unauthenticated attacks, but the system will still be vulnerable to attackers with valid credentials.