Windows Rdp Patch

Microsoft has fixed a critical vulnerability in some versions of Windows that can be exploited to create a powerful worm. The company even took the unusual step of releasing patches for Windows XP and Windows Server 2003, which haven't been supported in years, because it believes the threat to be very high.

Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. Besides these, Microsoft has released patches for four critical RCE vulnerabilities in Windows built-in Remote Desktop Client application that could enable a malicious RDP server to compromise the client's computer, reversely, just like researchers demonstrated similar attackers against 3rd-party RDP clients earlier this year.

The vulnerability, tracked as CVE-2019-0708, is located in Remote Desktop Services, formerly known as Terminal Services. This component handles connections over the Remote Desktop Protocol (RDP), a widely used protocol for remotely managing Windows systems on corporate networks.

What makes the vulnerability so dangerous is that it can be exploited remotely with no authentication or user interaction by simply sending a maliciously crafted RDP request to a vulnerable system. A successful attack can result in malicious code being executed on the system with full user rights, giving attackers the ability to install programs, modify or delete user data and even to create new accounts.

'In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,' Simon Pope, director of Incident Response at the Microsoft Security Response Center, said in a blog post. 'While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.'

WannaCry did not exploit a vulnerability in RDP, but in Microsoft's implementation of SMB, a file sharing and authentication protocol that's used on all Windows networks and is enabled by default. While the attacks are different, Pope's analogy to WannaCry is based on the ease of exploitation -- remotely with no authentication -- and the popularity of both protocols.

RDP has been a popular infection vector for malware threats in the past, particularly for ransomware, cryptominers and point-of-sale memory scrapers. Attackers typically steal or bruteforce RDP credentials in order to gain access to systems.

Earlier this year, the FBI shut down an underground marketplace called xDedic that was used to sell RDP access to tens of thousands of compromised servers over the course of several years. The prices ranged from $6 to $10,000, based on a server's geographic location, operating system and other criteria. This new RDP vulnerability would provide attackers with such access for free to an even larger number of servers and systems.

Legacy Windows systems at risk

The vulnerability affects Remote Desktop Services in Windows 7, Windows Server 2008 R2 and Windows Server 2008, as well as in legacy Windows versions that have reached end of life. In addition to supported Windows versions, Microsoft decided to release security updates for Windows XP, Windows XP Embedded and Windows Server 2003, probably because these Windows versions are still widely used in legacy environments and on specialized equipment like ATMs, medical devices, self-service kiosks, point-of-sale terminals and more.

It's worth noting that the destructive WannaCry and NotPetya ransomware worms both exploited known vulnerabilities that had patches available when they hit, yet the attacks still disrupted normal operations in hospitals, production plants, ports, railways and many businesses around the world. That's because many legacy systems and devices are used to run critical processes, so even when patches are available, their owners might not apply them for a very long time because they can't afford the downtime.

In the absence of immediate patching, the owners of such systems should take a more defense-in-depth approach by putting these devices on isolated network segments, disabling services that are not needed and using secure VPN solutions to access them remotely.

'Disable Remote Desktop Services if they are not required,' Microsoft said in its advisory. 'If you no longer need these services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.'

Microsoft also suggests two workarounds for blocking attacks that might target this RDP vulnerability: Enabling Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2; and blocking TCP port 3389 at the enterprise perimeter firewall to prevent attacks that originate from the internet.

Next read this

Security

Microsoft's Patch Tuesday updates for March deliver fixes for 75 security bugs, including patches for 15 critical flaws and a serious vulnerability that exposes sysadmins to credential theft.

In addition to new updates to mitigate Meltdown and Spectre, Microsoft has released fixes for 15 critical flaws affecting the scripting engine in Internet Explorer 11 and its JavaScript engine ChakraCore in Microsoft Edge. There are also 61 important fixes for Windows, Office, and ASP.NET Core.

An important-rated bug that's caught the attention of severalsecurity firms is CVE-2018-0886, a remote code execution flaw that affects CredSSP (the Credential Security Support Provider protocol).

CredSSP is used in Microsoft's widely used Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM) to relay user credentials from a client to an application's server.

Microsoft says: 'CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack.'

It's rated as important as it can only be exploited in tandem with a man-in-the-middle attack. However, in that position, the attacker could steal session authentication from a user with local administrative privileges and then run unauthorized commands on a target server with the same privileges.

Preempt, the security firm that reported it, has a write-up of several issues behind the bug in a more detailed technical report.

According to Preempt, this bug isn't an attacker's entry point, but rather a technique for lateral movement and privilege escalation after they've either gained physical access to the target's Wi-Fi network, or once they've exploited a remote code execution in a firm's routers, such as Cisco's severe ASA VPN bug which was patched through January and February.

'The attacker will set up the man-in-the-middle, wait for a CredSSP session to occur, and once it does, will steal session authentication and perform a Remote Procedure Call (DCE/RPC) attack on the server that the user originally connected to (eg, the server user connected with RDP),' explains Preempt researcher Yaron Zinar.

Windows 7 Rdp Patch Download

Patch

See also:IT leader's guide to cyberattack recovery

Windows Rdp Client

'An attacker [who has] stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in the case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default.'

If the attacker exploits a vulnerable router, they could infect a router near the server and wait for an IT admin to log in to the server using RDP.

The attacker may also exploit the recent KRACK Wi-Fi key reinstallation vulnerabilities to use this attack against any machine with RDP enabled over Wi-Fi.

Zinar's colleague Eyal Karni notes customers can mitigate the flaw by ensuring the Windows firewall is on, because RPC is not enabled by default for any interface.

However, domain admins are particularly vulnerable to this attack until Microsoft's patch has been installed.

Now read:How to build a successful career in cybersecurity (free PDF)

'This is because a rule concerning RPC exists in Domain Controllers that enables any svchosts.exe DCOM interfaces. Furthermore, a quick survey found that RDP is the most common way in which domain admins tends to access the DC. In other words, by exploiting this attack, an attacker is likely to gain full control over the domain,' writes Karni.

Microsoft was informed of the issue in August, but needed an extension well beyond the agreed 90-day disclosure timeframe to deliver a fix, according to Preempt's timeline.

Microsoft has a fix available for every supported version of Windows and Windows Server, but admins will also need to make configuration changes to fully remediate the bug. Microsoft has provided group policy instructions.

Previous and related coverage

Rdp Security Patch

Microsoft now sees over 600,000 PCs exposed to coin-mining malware each month.

Windows 8 Rdp Patch

Microsoft is continuing to polish its coming Windows 10 release with Fast Ring Insider Build 17120 as it heads toward the finish line.

Slingshot malware infects PCs via files downloaded from compromised routers.

Patch

Windows 10: Microsoft lifts block on security updates after sorting out AV clash(TechRepublic)

Windows 7 Rdp Vulnerability

The removal of the AV compatibility checks will mean that patches to mitigate the risk from Spectre and Meltdown attacks released since January will now be available to a wider range of PCs.

How to create and use app passwords for your Microsoft account (CNET)

Because not all Microsoft services support security codes for two-step verification.

Windows Rdp Patch Update

Related Topics:

Enterprise Software Security TV Data Management CXO Data Centers