Skip to content

RDP:Remote, ‘Wormable’ Pre-Authentication Windows Vulnerability”

RDP:Remote, 'Wormable' Pre-Authentication Windows Vulnerability"

Microsoft has issued an warning that another ransomware outbreak similar to Wannacry can shut down the internet. There is a critical vulnerability (CVE-2019-0708) in its RDP/Remote Desktop Services that can be exploited remotely, via RDP, without authentication and can be used to run arbitrary code. An attacker could then install programs, view, change, or delete data; or create new accounts with full user rights.

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs, view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests. For more details refer to CVE-2019-0708

Fixes are included in for versions of Windows 7 and Windows 2008 as part of Microsoft’s recent Patch Tuesday. Patches have also been made available for versions of Windows XP and Windows 2003. 

What Should To Do?

Firstly, patch… the importance of patching cannot be emphasised more. In the past ransomware worms like WannaCry & NotPetya spread in a day finding thousands of windows systems by exploiting a flaw in version one of Microsoft’s SMB software. Inspite of the patch being available WannaCry was followed a little over a month later by NotPetya that used the same exploit.

Here are some mitigations & worksrounds:

  • Patch all affected RDP that you know of 
  • Enable Network Level Authentication (NLA). This forces a user to authenticate before RDP is exposed to the attacker. Not all affected systems support NLA.
  • Turn off RDP. If RDP isn’t running, the vulnerability can’t be exploited. As obvious as this seems, some organisations are unable to work without RDP, and some are running it without realising it.
  • Block TCP port 3389. Blocking port 3389 (and any other ports you’ve assigned to RDP) at the perimeter will prevent an attack from entering your network but can’t stop an attack from originating inside your network.

> Check Your RDP Exposure (Free Tool)

(Free Tool) Discover Your RDP Exposure

  • We are happy to release a free tool to run an attack surface discovery SCAN to find your exposed RDP including Shadow IT that your team may not be aware of.
  • FireCompass platform continuously monitors the deep, dark and surface web to automatically map your digital attack surface and it’s risks with zero knowledge
  • Link to: Check Your RDP Exposure (Free Tool)