Alert Logic® is actively researching a remote code execution (RCE) vulnerability (CVE-2019-0708) discovered in the Remote Desktop Services component of Microsoft Windows. This vulnerability allows an unauthenticated attacker to connect to the target system using Remote Desktop Protocol (RDP) and send specially crafted requests. A successful attack allows the attacker to execute arbitrary code on the target system, allowing them to perform actions such as installing programs, changing data, or create new accounts with full user rights.
You may be affected if you run any versions of Windows prior to Windows 8. Microsoft has released patches for Windows versions back to Windows 2003 and strongly advises applying the patch as soon as possible.
This RCE vulnerability is pre-authentication and requires no user interaction. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. As a result, a vulnerable system would need to have RDP exposed to the public internet and a remote attacker would need to be able to establish a connection to this service.
Per Microsoft, “the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”
Alert Logic Coverage
Vulnerability Scanning: Alert Logic has developed authenticated vulnerability scan coverage to identify vulnerable assets.
Network IDS: Alert Logic is researching this exploit to determine whether signatures can be released to detect exploitation of this threat.
Web Application: Web application coverage is not applicable for this threat as the vulnerability operates over a protocol that is not inspected.
Log Management: Alert Logic is researching this exploit to determine whether log detection is appropriate for this threat.
Recommendations for Mitigation
Microsoft has released patches for vulnerable versions of Windows. It is strongly advised to apply patches for any vulnerable versions of Windows as soon as possible. More information and downloadable security updates for Windows 7 and Windows 2008 are available in a Security Advisory about CVE-2019-0708 released by Microsoft. Guidance and security updates for Windows XP and Windows 2003 are available in a separate security advisory from Microsoft.
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of the article. You must be signed in to the Support Center using your Alert Logic product credentials to follow this article.
05/15/19: Authenticated vulnerability scan coverage is now available to identify vulnerable assets.