Security Advisories /
RDP Vulnerabilities
Microsoft’s Security Response Center announced a vulnerability affecting Windows Server versions 2008 R2, 2008, and 2003. Windows 7 and XP are also affected.
Summary
On Tuesday, May 14th, 2019, Microsoft’s Security Response Center released a statement along with a patch for a critical Remote Code Execution vulnerability in Remote Desktop Services. The vulnerability affects Windows Server versions 2008 R2, 2008, and 2003. Windows 7 and XP are also affected.
If exploited, an attacker can execute code on a vulnerable system before authentication occurs, allowing them to fully compromise the system. Public-facing Remote Desktop servers pose the largest initial risk to organizations, though all other vulnerable systems still pose a significant risk. Certain mitigations can be put in place to force an attacker to have valid credentials to the vulnerable system to exploit it. The only way to prevent exploitation is by installing the patch provided by Microsoft.
Details
Microsoft has not provided specific details on the vulnerability and proof-of-concept (PoC) code is not yet publicly available. This will most likely not be the case for long. Once an exploit is widely available, this vulnerability has the potential to be ‘wormable’, as it can be exploited without credentials of any kind. Prevention of wide-spread exploitation relies on the immediate patching of vulnerable systems.
It should be noted that Microsoft support for the affected versions of Windows (Server 2008, 2008 R2 and 7) ends on January 14, 2020. A plan should be in place to upgrade systems running these versions before that date.
What Can You Do?
The ATS Network Operation Center (NOC) began deploying the patch for this vulnerability to all Managed Services clients outside of the regular patch cycle, due to the critical nature of the vulnerability. All affected operating systems are in the process of installing the patch, no further action is required.
Clients that are not under a Managed Services contract should install the patch immediately. Alternatively, there are a few mitigation and workaround options that Microsoft suggests:
- 1. Disable Remote Desktop Services if not required
- 2. Where RDP is required, place it behind a corporate VPN
- 3. Enable Network Level Authentication for all Remote Desktop systems (This is a highly suggested step regardless of this vulnerability)
- 4. Block the Microsoft RDP port (TCP 3389) at the perimeter firewall
These mitigations reduce the risk posed by this vulnerability by forcing an attacker to have credentials to the vulnerable system. The only way to prevent exploitation is by installing the patch.
For more information or assistance in assuring your systems are not vulnerable, please contact your ATS Client Manager or the helpdesk at 703-876-2653 or [email protected].
Working with ATS is a breath of fresh air. ATS takes our information security concerns seriously and advises us how to avoid potential pitfalls with both hardware and software. We are beyond thrilled with ATS and only wish we had selected them a year earlier.
Joseph A. Appelbaum
President & CEO, Potomac Companies, Inc.
ATS has been our trusted partner in recent upgrades we have made to our IT infrastructure and cyber security. Their account management, project management, and technical teams have all provided top-notch service, guiding us to make informed decisions, managing timelines for multiple projects, and most of all, listening to our needs and making recommendations based on our unique work environment. During the transitions, they have kept us operating smoothly and provided quick and helpful support through their Help Desk.
Amy Gavin
Nutrition.org
I just wanted to take a moment to reach out and thank you for the excellent service you and your team have provided with the hosted SIEM solution. AlienVault is great, but the real value comes from your partnership. The appliance would not do nearly as much for us without your monitoring and consulting services. You have always been on top of things and there for us whenever there is an incident. I feel confident in that our network is secure and I am able to report that our board and clients with full assurance.
Chris Hansford
EducationWeek.org