1、Overview
On May 14, 2019, Microsoft released a security patch
for the key remote code execution vulnerability of Remote Desktop
Services (CVE-2019-0708). The affected versions of Windows system are
vulnerable to remote code execution attack when Remote Desktop Services
is enabled. The vulnerability does not require user interaction, that
is, the vulnerability can be exploited to launch a worm attack, similar
to the WannaCry ransomware worm event. Although the exploitation of the
vulnerability has not been discovered at present, it is likely to be
added to malicious code later, just like the MS17-010 (Eternal Blue)
vulnerability. Microsoft released MS17-010 Vulnerability Patch on March
14, 2017, while WannaCry, which exploted the Eternal Blue Vulnerability,
spred on May 12, 2017 .
According to the statistics of relevant data sources,
there are nearly 3 million computers in the global public network have
opened 3389 port at present, that is, Remote Desktop Services (RDP)
without changing ports, and there are a large number of machines open
related port service for the internal network without configuration and
strengthening. Therefore, the vulnerability may cause large-scale worm
spread on the Internet, large-scale infection of botnets, and
large-scale lateral mobile attack capability of the intranet.
2、Vulnerability description
Vulnerability number:CVE-2019-0708
The vulnerability allows an unauthenticated attacker
to connect to a target system using Remote Desktop Services and send a
well-designed request, using its identity pre-authentication, without
the need for user interaction confirmation to agree to receive a
connection defect, to execute on the target system Any code, including
but not limited to the installer, to view, change or delete data within
the target system, or to create a new account with full user rights.
Exploiting this vulnerability requires the following conditions:
1. Remote Desktop Services is enabled on Windows operating system, and update patches are not installed in time;
2. The attacker sends a well-designed request to the target system Remote Desktop Service via RDP.
3、Affected Versions
Affected Windows operating system version:
Windows XP SP3 x86
Windows XP pro x64 version SP2
Windows XP Embedded SP3 x86
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2003 SP2 x86
Windows Server 2003 x64 version SP2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Embedded POSReady 2009
Windows Embedded Standard 2009
4、Restore and mitigation advice
1. Install patches for this vulnerability as soon as possible (even if Remote Desktop Services has been disabled)[1]。
2. If you do not need to use Remote Desktop Services, it is recommended to disable the service.
3. Enable Network Level Authentication (NLA) on the
affected version of the system; when NLA is enabled, an attacker would
need to authenticate to Remote Desktop Services using a valid account on
the target system to successfully exploit the vulnerability.
4. Deploy a security policy on the corporate perimeter or border firewall to block TCP port 3389.
5. The combination of Antiy IEP terminal defense
system and Antiy Asset Security Operation and Maintenance System can
fully reduce the exposure surface and form the basic framework for
threatening defense response.
Appendix A:References
[1] CVE-2019-1181 | Remote Desktop Services Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181
[2] CVE-2019-1182 | Remote Desktop Services Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182
