[IS&T Security-FYI] Critical Remote Code Execution Vulnerability in Windows Remote Desktop Services

Fri May 17 12:50:09 EDT 2019

Hello IT Partners, SecuritySIG, and IST-Security-FYI,

This week Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708<https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/> [1], in Remote Desktop Services (RDS) that affects some older versions of Windows. This vulnerability is pre-authentication and requires no user interaction, meaning that exploits could propagate<https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/> [2] from vulnerable computer to vulnerable computer in a way similar to the spread of the WannaCry malware across the globe in 2017.

Vulnerable in-support systems:

Windows 7
Windows Server 2008 R2
Windows Server 2008

Vulnerable out-of-support systems:

Windows 2003
Windows XP

Recommendations:

Please verify that your systems have the appropriate patch installed (it may require a reboot) and communicate the severity of this vulnerability within your DLCs.

The patch has been released to IS&T’s WAUS service<https://ist.mit.edu/waus> [3], and IS&T-managed devices are being patched. In-support versions of Windows with automatic updates enabled are automatically protected.  For all other computers, downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708> [4].

If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows<https://ist.mit.edu/windows> [5]. Microsoft has also released fixes for these out-of-support versions of Windows in KB4500705<https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708> [6].

Windows 8 and Windows 10 and later versions are not affected by this vulnerability. Please note that the Windows 7 and Windows Server 2008 end-of-support date is January 14, 2020. After that date Microsoft will no longer provide regular security updates.

Wherever possible, restrict remote access to trusted IPs (the MIT VPN ranges are 18.100.0.0/16 and 18.101.0.0/16).

Workarounds:

If affected systems are not capable of being upgraded or patched at this time, then one of the following should be done:

    - Disable Remote Desktop Services on the system.
    - If RDS needs to remain enabled, ensure that firewall rules allow access only from trusted    hosts (including those internal to the network) to the RDS port.
    - Remove the system from the network.

Enabling Network Level Authentication (NLA) will prevent unauthenticated attacks, but the system will still be vulnerable to attackers with valid credentials. Microsoft strongly advises that all affected systems be updated as soon as possible, whether or not NLA is enabled.

For assistance, please contact the IS&T Service Desk<http://ist.mit.edu/help> [7] at 617-253-1101 or servicedesk at mit.edu<mailto:servicedesk at mit.edu>.

Best,
Jessica

--
Jessica Murray
Information Security Officer
Information Systems & Technology
Massachusetts Institute of Technology
jlmurray at mit.edu<mailto:jlmurray at mit.edu>
security at mit.edu<mailto:security at mit.edu> | http://ist.mit.edu/secure

[1] https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/
[2] https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
[3] https://ist.mit.edu/waus
[4] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
[5] https://ist.mit.edu/windows
[6] https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708
[7] http://ist.mit.edu/help

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20190517/ea8ed89c/attachment.html