Remote Desktop Services Remote Code Execution Vulnerability
E2E Networks is aware and keeping a close watch on the recently disclosed Remote Code Execution(RCE) vulnerabilities by Microsoft. The two reported vulnerabilities are also marked ‘wormable’ like the ‘BlueKeep’ vulnerability (CVE-2019-0708), meaning that any future malware could propagate from one vulnerable server to another vulnerable without user interaction by exploiting these.
As per Microsoft, they discovered these vulnerabilities during the hardening of Remote Desktop Services as part of their continual security strengthening process and that there is no evidence of these vulnerabilities being known to any third party as of now.
The affected versions of Windows reported by Microsoft are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions.
A remote code execution vulnerability subsists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker gets connected to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and needs no user interaction. An attacker who successfully utilize this vulnerability could accomplish arbitrary code on the target system. An attacker can then install programs; view, change, or delete data; or create new accounts with complete user rights.
To exploit this vulnerability, an attacker is required to send a specially crafted request to the target systems Remote Desktop Service via RDP.
The update addresses the vulnerabilities by improving how Remote Desktop Services handles connection requests.
The security updates issued by Microsoft On August 13, 2019, contains the patch to these vulnerabilities. The update address the flaws by “correcting how Remote Desktop Services handles connection requests.”
As these are wormable vulnerabilities posing high risks, we recommend patching the affected systems as soon as possible. Please do check the updates available for your windows servers and apply the security updates specifically post analyzing their impact on your setup as quickly as possible. You can also download patches specific to your Windows Server OS from Microsoft Security Update Guide.
Patches have already been automatically applied for customers with automatic updates enabled on their Windows Servers.
The customers who cannot immediately patch their systems can opt for partial mitigation measure by enabling Network Level Authentication (NLA). With NLA let an attacker has to authenticate to Remote Desktop Services with a valid account on to the vulnerable server before the attacker could exploit the vulnerability. Hence unauthenticated attackers are blocked from using this vulnerability. However, affected systems will remain vulnerable to Remote Code Execution (RCE) exploitation as an attacker with valid credentials can successfully authenticate and exploit the vulnerability.
E2E Networks always encourages its customers to pursue the best practices of security to keep their systems updated, protected and patched against recognized vulnerabilities.
Official security advisories
If you have any queries regarding the patching/updates on E2E Networks infrastructure, please write in the comments below.