Alert: Wormable Flaw in Remote Desktop Services Could Result in New WannaCry-Like Outbreak

With exploitation "highly likely," Microsoft is urging Windows users to patch now, and has even issued fixes for out-of-support versions including Windows 2003 and Windows XP.

This month's Patch Tuesday was a doozy. The lineup included a number of vulnerabilities deserving of headliner status, from a flaw in WhatsApp exploited to install spyware to a bug that could allow attackers to bypass the secure boot process on every enterprise Cisco router released since 2013.

Oh, then there's the fresh side-channel attack — called "ZombieLoad" complete with website and logo — affecting almost every computer with an Intel chip dating back to 2011. Like the Meltdown and Spectre bugs that caused such a ruckus in early 2018, ZombieLoad takes advantage of modern processors' reliance on speculative execution to run faster and more efficiently. Successfully exploiting ZombieLand can result in leaking data such as passwords, access tokens, and the websites a user is visiting in real-time.

As with Meltdown and Spectre, however, while the scope of the flaw is huge and the potential impact massive, the actual likelihood of attackers leveraging it in the real world is relatively low, especially compared to another vulnerability disclosed on Tuesday that's getting less press.

While it may not have a catchy name or dedicated website, CVE-2019-0708 — a vulnerability in Microsoft's Remote Desktop Services — is arguably THE top vulnerability in this murderers' row of flaws you should be most worried about.

To be clear, all of these vulnerabilities deserve patching, but if you're looking to prioritize this post will explain why you should start with it first.

? Very important security update for Windows ? CVE-2018-0708 allows remote, unauthenticated code execution is RDP (Remote Desktop). A very bad thing you should patch against. Around 3 million RDP endpoints are directly exposed to internet. https://t.co/EAdg3VNMjw pic.twitter.com/u2V3uyoyVs

— Kevin Beaumont ??‍♀️ (@GossiTheDog) May 14, 2019

What's the vulnerability?

CVE-2019-0708 is a remote code execution (RCE) vulnerability in Remote Desktop Services that allows an unauthenticated attacker to execute arbitrary code on a target system by sending a specially crafted request via RDP.

Why is it dangerous?

RCEs are never good, but the thing that should really set your Spidey sense tingling is the term in bold below.

"This vulnerability is "wormable," meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017."

— Simon Pope, Director of Incident Response, Microsoft Security Response Center

For those with blessedly short memories, the WannaCry ransomware outbreak saw more than 200,000 computers across 150 countries infected with data-encrypting malware, with total damages estimated to be in the billions. The infection cost the UK's National Health Service alone nearly £100m.

WannaCry spread rapidly across systems using an exploit called EternalBlue (purportedly developed by the NSA) that targeted a vulnerability in Microsoft's Server Message Block (SMB) protocol. Like SMB, RDP provides a built-in method of connecting to devices within a network, making it a favorite target for exploitation. Case in point: Included in the same group of leaked exploits along with EternalBlue was an exploit called EsteemAudit, which targeted a flaw in Microsoft's handling of RDP.

In fact, there has been a long history of Microsoft security updates related to Remote Desktop Services and RDP, with more than 24 separate CVEs issued since 2002. Criminals have also routinely taken advantage of systems with RDP exposed to the Internet to conduct brute force attacks and infect victims with ransomware and other malware.

Making sure RDP isn't exposed has become standard security 101, yet millions of systems are doing exactly that. The large number of exposed, vulnerable systems combined with the ease of exploitation and the fact that no user interaction is required make this an absolutely critical vulnerability to patch.

The good news is no real PoC has been made public yet, but some experts estimate a working exploit could be released in a matter of days.

What systems are affected?

• Windows 7 (link to security update)
• Windows Server 2008 and Windows Server 2008 R2 (link to security update)
• Windows XP (link to security update)
• Windows Server 2003 (link to security update)

The good news is newer versions of Windows including Windows 8 and Windows 10 are NOT vulnerable.

Other mitigations

According to Microsoft, enabling Network Level Authentication (NLA) can provide partial mitigation, though it unfortunately won't help if an attacker has obtained valid credentials (via brute force attack, purchasing them on a dark web marketplace, etc.).

While patching is the only sure-fire way to address this vulnerability, it's also a good time to ensure you've taken steps to properly secure RDP throughout your client networks. Here are two great resources that can help:

• Securing Remote Desktop (RDP) for System Administrators (UC Berkeley)
• Establishing a Baseline for Remote Desktop Protocol (Mandiant)

Are you checking all the right boxes to protect your customers from cyber attacks?

Download our 2019 MSP Cybersecurity Checklist here.