Microsoft has released updates to fix a critical remote code execution (RCE) vulnerability that affects Remote Desktop Services in some versions of Windows.
To exploit the vulnerability an attacker would connect to a device using Remote Desktop Protocol (RDP) and send specially crafted requests. This vulnerability could be exploited by a worm as no authentication or user interaction is required.
An attacker who successfully exploited this vulnerability could execute arbitrary code on the affected system; view, change, or delete data; or create new accounts with full user rights.
The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction.
Microsoft said they have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.
- Microsoft Windows – Versions XP to 7
- Microsoft Windows Server – Versions 2003 to 2008 R2
Customers running Windows 8 and Windows 10 are not affected by this vulnerability.
Users and administrators are encouraged to review the following Microsoft update advisories and apply the necessary updates. The updates address the vulnerability by correcting how Remote Desktop Services handles connection requests:
- Microsoft Security Advisory CVE-2019-0708
- Microsoft Support Article KB4500705
- Microsoft Security Response Center blog published 14/05/2019
Microsoft has provided advice for administrators on alternative mitigation and workarounds. Microsoft recommends that updates are still installed as soon as possible even if any of these steps are taken:
- Disabling Remote Desktop Services mitigates this vulnerability.
- Enabling Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 stops unauthenticated attackers from exploiting this vulnerability. If an attacker can authenticate to Remote Desktop Services then an exploit is still possible.
- If RDP is not used, then blocking TCP port 3389 at the perimeter firewall can prevent attacks that originate outside the enterprise perimeter. Systems could still be vulnerable to attacks from within the perimeter.