Microsoft has issued a patch for a vulnerability in its Remote Desktop Services that can be exploited remotely, via RDP, without authentication and used to run arbitrary code:
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
It doesn’t get much worse than that.
Fixes are included in for versions of Windows 7 and Windows 2008 (see the advisory for the full list) as part of Microsoft’s most recent Patch Tuesday. Patches have also been made available for versions of Windows XP and Windows 2003 (see the customer guidance for the full list). For all the details about this month’s patch Tuesday, including some other critical fixes, read the SophosLabs analysis of May’s Patch Tuesday.
The flaw is considered ‘wormable’, meaning that it has the potential to be used in malware that spreads by itself across and between networks.
Millions of computer networks around the world have RDP exposed to the outside world so that they can be managed not only via their local network but also across the internet. Sometimes, that external access was enabled on purpose; sometimes the exposure is an unwanted mistake – but in either case, a network where RDP can be reached from the outside is a potential gateway for an automated attack to reach a new victim.
Given the number of targets, and the potential for an explosive, exponential spread, we suggest you treat it as a matter of when, not if, the patch is reverse engineered and an exploit created, so you should update immediately. For more guidance, check out this article’s What to do? section.
The fact that Microsoft has taken the exceptional step of issuing patches for Windows XP and Windows 2003, is instructive.
Given the potential impact to customers and their businesses, we made the decision to make security updates available for platforms that are no longer in mainstream support … We recommend that customers running one of these operating systems download and install the update as soon as possible.
In the five years since the end-of-life date for Windows XP and 2003, Microsoft has issued countless patches for critical issues in its family of operating systems that it didn’t back-port to its retired products. It’s only broken that support embargo on four occasions, including this one, most notably during the WannaCry outbreak of 2017.
WannaCry was a ransomware worm that spread around the world in a day by exploiting a flaw in version one of Microsoft’s SMB software. The worm had no trouble finding hundreds of thousands of Windows systems to infect despite the age of the software and a patch having been issued the previous month.
As if to demonstrate our continued, collective failure to learn the lesson about the importance of patching, WannaCry was followed a little over a month later by NotPetya, another global ransomware outbreak using the same exploit.
What to do
Whatever else you do, patch.
If, for some reason, you can’t patch immediately, Microsoft offers the following mitigations and workarounds:
- Enable Network Level Authentication (NLA). This forces a user to authenticate before RDP is exposed to the attacker. Not all affected systems support NLA.
- Turn off RDP. If RDP isn’t running, the vulnerability can’t be exploited. As obvious as this seems, some organisations are unable to work without RDP, and some are running it without realising it.
- Block TCP port 3389. Blocking port 3389 (and any other ports you’ve assigned to RDP) at the perimeter will prevent an attack from entering your network and stop it traversing between network segments.
For more on using your Firewall to blunt CVE-2019-0708, read BlueKeep: firewall best practices, on our sister site, Sophos News.
(Watch directly on YouTube if the video won’t play here.)
sweetlilycake
Guess I wasn’t paranoid for no reason after all. Disabled RDP a while ago since I figured it could probably be exploited at some point, and here we are.
Paul Ducklin
Don’t need it? Don’t have it at all… smart move. Less is more, etc.
Bryan
I often lambast Microsoft (and usually admit I’ve jaded to the point of MS bigot). However I can be reasonably unbiased and wonder why RDP is ever allowed unprotected via Internet.
Yes, we’ve found gaping holes in other services/daemons, notably like libssh last year;
https://nakedsecurity.sophos.com/2018/10/17/serious-ssh-bug-lets-crooks-log-in-just-by-asking-nicely/
Yet Microsoft’s attack surfaces time and again seem overly stretched thin and ripe for the picking, with new, potentially devastating vulns appearing far more frequently than in pretty much anything other than Flash.
Unprotected RDP flabbergasted me 20 years ago. Inside a VPN, sure. You gotta admin those Windows servers somehow.
Steve Edwards
“connected to the internet via RDP,“ what is meant by this statement? In my limited time in IT, I don’t understand how to connect my PC to the internet using RDP. I know of PC’s that are connected to a network, which is then connected to the Internet, AND are running RDP…but am unfamiliar with how a PC would use RDP to connect to the Internet
Paul Ducklin
I reworded it to make the meaning a bit clearer – we meant “connected to the internet in a way that makes RDP visible to the outside world”.
In other words, we meant “hooked up so that other people can connect to you via RDP,” rather than “hooked up so you can connect to the internet via RDP.”
Rey M
RDP is used to connect to other computers and/or servers. Not to go online.
David
What about Vista users? That was in support more recently than XP but seemingly not mentioned.
Mark Stockley
Yes, it’s conspicuous by its absence and I’ve not been able to confirm if it’s affected.
Although it doesn’t get a patch, it’s NOT on the list of operating systems that Microsoft says are unaffected. Perhaps it simply doesn’t have enough users to get a patch.
In the absence of clearer information I recommend you proceed under the assumption that it is affected and turn off RDP altogether. It’s also worth noting that while Vista was supported more recently than XP it’s still two years out of support and exposing it to the internet is a serious on-going risk even if this bug didn’t exist.
Anonymous
What about W10??
Mark Stockley
Windows 10 is not affected.
Louis
I shouldn’t think this will affect users who use an RDP gateway ie RDP over SSL as RDP (TCP 3389) isn’t exposed to the internet and only SSL (TCP 443) is exposed. The RDP gateway proxies the traffic
Mark Stockley
Correct. In that case it’s SSH that’s exposed to the internet and not RDP. Ditto for RDP via a VPN. Although that protects you from the outside world, it won”t protect you from attacks that start inside a network, triggered by email attachments, downloads etc.
1000 Tips
Releasing patches for Windows XP proves once again that Windows XP refuses to die, which is still widely used and will be for a long time.
William M. Hawkins
Have XP SP3. Got the update file for KB4500331 and executed it. Got no indication of success. The install log is full of error messages. I’ve no desire to be a worm hole. How can I tell if the patch worked?
Mark Stockley
Hi, sorry to hear you’re having problems. If you’ve got issues with the patch you’ll need to take it up with Microsoft support.
Anonymous
What about the Windows Server 2016 data center ?
mark@brislane.com
Given that this only affects RDS/TS – does it affect where only RDP is enabled?
Paul Ducklin
To trigger the bug you need to have RDP enabled – if there’s no RDP service listening, there’s no open TCP port for attackers to poke their sticks into to trigger the bug.
Bob Stromberg
Please provide a quick description of how a computer owner can check if RDP is enabled.
Also, I believe that Windows Home (all versions) is not affected. Is this true?
Anonymous
No issues reported from Microsoft. You can check
https://support.microsoft.com/en-gb/help/4500705/customer-guidance-for-cve-2019-0708