Jump to content

Recommended Posts

  • Root Admin

Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)
https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

MSRC TeamMay 14, 2019

Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware. 

Now that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows. 

Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected.  

Out-of-support systems include Windows 2003 and Windows XP. If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. Even so, we are making fixes available for these out-of-support versions of Windows in KB4500705

Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected. Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows.  

There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate. 

It is for these reasons that we strongly advise that all affected systems – irrespective of whether NLA is enabled or not – should be updated as soon as possible.  

Resources
Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008
Links to downloads for Windows 2003 and Windows XP  

Simon PopeDirector of Incident ResponseMicrosoft Security Response Center (MSRC)

Link to post
Share on other sites

Thanks for the info.  I remove, disable, break and cripple every aspect of RDP (and all other non-essential internet protocols for all of my network connections) so my systems remain immune to such attacks, but I'll obviously still be patching nonetheless in case there's anything I missed.

Link to post
Share on other sites

1 hour ago, alQamar said:

Regarding Vista: there are still patches for Server 2008 (6.0) most of them could also be applied out of band on Vista (Client - out of support). Same goes to Server 2012 and Windows 8.0 (Client - out of support)...

Please note that a few Vista SP2 users like Pim, dinosaur, etc. who tried to install the May 2019 Patch Tuesday Windows Server 2008 updates KB4499149 (Monthly Rollup ) or KB4499180 (Security Only) have reported issues like failed updates and BSODs in the AskWoody.com thread MS-DEFCON 3: Get Windows XP, Win7 and Associated Servers Patched.  Woody is currently suggesting <here> that "If you’re running Vista, hang tight. Looks like Microsoft forgot to document that one."

I'd advise that Vista SP2 users monitor that AskWoody thread for further feedback or at least make sure they create a full system image with imaging software like Macrium Reflect Free before applying these May 2019 Windows Server 2008 updates just in case they cause problems.  I've decided to wait a bit longer to see if Microsoft eventually revises the MS TechNet article Prevent a Worm by Updating Remote Desktop Services (CVE-2019-0708) and includes links in that article to a security patch designed specifically for Vista SP2.  Microsoft posted five special out-of-band security updates for NSA-leaked exploits for Vista SP2 on the Microsoft Update Catalog after this OS reached its end of extended support (see the MS Answers thread More Shadow Brokers Exploits Patched June 2017 for Win XP and Vista) and I'm hoping they'll release a similar out-of-band patch for this Remote Desktop Services (known as Terminal Services in older OSs like Vista SP2) vulnerability in the next few days.

In the mean time I've gone to Control Panel | System and Maintenance | System | Remote Settings and confirmed that Remote Assistance is disabled on my Vista SP2 system.

1327333531_VistaSP2SystemPropertiesRemoteAssistanceDisabledCVE-2019-070817May2019.png.4f51c727025b60bdbeb8ca70e737e05d.png
-------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1-1.0.365

Link to post
Share on other sites

On 5/17/2019 at 12:26 PM, lmacri said:

Please note that a few Vista SP2 users like Pim, dinosaur, etc. who tried to install the May 2019 Patch Tuesday Windows Server 2008 updates KB4499149 (Monthly Rollup ) or KB4499180 (Security Only) have reported issues like failed updates and BSODs in the AskWoody.com thread MS-DEFCON 3: Get Windows XP, Win7 and Associated Servers Patched.  Woody is currently suggesting <here> that "If you’re running Vista, hang tight. Looks like Microsoft forgot to document that one."...

...In the mean time I've gone to Control Panel | System and Maintenance | System | Remote Settings and confirmed that Remote Assistance is disabled on my Vista SP2 system.

Further to my previous post # 9, has anyone heard if a patch specifically designed for Vista SP2 has been released for the Remote Desktop / Terminal Services vulnerability?  I've been monitoring the MS TechNet article Prevent a Worm by Updating Remote Desktop Services (CVE-2019-0708) but it hasn't been revised since 14-May-2019.

As of last month's April 2019 Patch Tuesday the Win Server 2008 patches have changed the build number of Vista SP2 from build number from 6.0.6002.xxxxx (Build 2) to 6.0.6003.xxxxx (Build 3). I don't know if Win Server 2008 updates KB4499149 (the Monthly Rollup) and KB4499180 (Security Only update) both increase the build number, but this is a deliberate change by Microsoft – see the support article Build Number Changing to 6003 in Windows Server 2008 – and some users posting in Jody Thorton’s MSFN thread Server 2008 Updates on Windows Vista are speculating that this change to build number 6.0.6003.xxxxx is the cause of the BSODs and software errors on their Vista SP2 system.

Regarding CVE-2019-0708, GoneForPlaid has posted a helpful hint in reply # 1717774 of the AskWoody.com thread There’s Now a Freely Available Proof of Concept Exploit for the “Wormable” WinXP/Win7 Bug.  Go to Steve Gibson's Gibson Research Corporation site at https://www.grc.com/port_3389.htm and click the Probe THIS Port button.  If the status of Port 3389 is Stealth (best) or Closed (good) as shown below then your system is supposedly configured to block an attack from this Remote Desktop / Terminal Services exploit. Definitions for the port status (Stealth / Blocked / Open) are available at https://www.grc.com/su/portstatusinfo.htm.

37687722_GRCShieldsUPRDSTerminalServicesPort3389ShieldedNEW21May2019.png.db3e8387797f7b2bbbac031ec9020c83.png

-------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1-1.0.365

Link to post
Share on other sites

Another simple thing you can do without messing with any of Windows' default settings or 'breaking' anything as I do is configuring your network connection to the 'Public' profile.  Do not do this if you like to share any files and/or printers or stream content to/from other devices on your network, but if you just connect your PC to the internet through your router/modem then there's no reason not to use the Public profile as it is the most secure.  It basically tells Windows to treat your internet connection as though you were connecting to the internet in a public place such as an internet cafe or hotel where you want to restrict access from other devices on the network to your system (very important since you never know who may be connected to the same connection as you and any of them might also be infected with a worm or other network propagating malware).  Since here at home all I have are my PCs which I connect directly to the web through my ISP provided modem/router device and I don't do any network file or printer sharing, I always configure my network connections to use the Public profile.  It locks down many network settings and components and is far more secure than the Home and Work connection options.

Details on how to configure this setting can be found in the following articles:

Windows 7
Windows 10

Additional info on the specific differences between profiles can be found in the following article:

What’s the Difference Between Private and Public Networks in Windows?

Link to post
Share on other sites

12 hours ago, lmacri said:

Further to my previous post # 9, has anyone heard if a patch specifically designed for Vista SP2 has been released for the Remote Desktop / Terminal Services vulnerability?  I've been monitoring the MS TechNet article Prevent a Worm by Updating Remote Desktop Services (CVE-2019-0708) but it hasn't been revised since 14-May-2019....

For Vista SP2 users, please note that MS support article Customer Guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability: May 14, 2019 was modified on 23-May-2019 and now recommends that Vista SP2 users patch this vulnerability with the Win Server 2008 KB4499180 (May 2019 Security Only) update.  Kudos to Vistaar for posting that information <here> in the Vista Forums. The release notes for KB4499180 at https://support.microsoft.com/en-us/help/4499180/windows-server-2008-update-kb4499180 imply that KB4403730 (the latest Servicing Stack Update of April 2019) should be applied before KB44991180.

I've posted further details in reply # 1736147 of the AskWoody.com thread MS-DEFCON 3: Get Windows XP, Win7 and Associated Servers Patched.  Given all the problems Vista SP2 users have reported after installing the April / May 2019 Win Server 2008 updates, I've decided to hold off installing KB4403730 (if required) and KB4499180 until I'm sure it's safe to do so.

10 hours ago, AdvancedSetup said:

For a home system why not just disable the port as suggested by @David H. Lipman

I’ve ensured that Remote Assistance (Control Panel | System and Maintenance | System | Remote Settings) is disabled, and when I checked the status of Port 3389 at https://www.grc.com/port_3389.htm by clicking Probe THIS Port my port status was reported as Stealth (see my image in post # 12).  I assume that means I'm currently protected from the vulnerability described in CVE-2019-0708.  I'm still wondering, though, if applying the recommended Win Server 2008 patch(es) would provide additional protection from exploits that could be designed to attack other vulnerabilities in  Remote Desktop / Terminal Services.
-------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1-1.0.365

Link to post
Share on other sites

Yes, disabling remote assistance should be sufficient.  You can optionally take it a step further by disabling the services associated with Remote Desktop.  There are several of them depending on your version of Windows and I don't personally have the full list of services for Windows 10 yet as I've not configured a Windows 10 system yet but if it's like all previous Windows versions then there should be a handful of them at least.  Theoretically that should not be necessary though, and disabling the setting as you did should be sufficient but killing the associated services ensures that it can't be easily enabled, especially by anyone remote who doesn't already have administrative access to the system.  Similarly there is the Workstation service which is associated with the SMB protocol; the very protocol exploited by EternalBlue/WannaCry.

Link to post
Share on other sites

1 hour ago, lmacri said:

I’ve ensured that Remote Assistance (Control Panel | System and Maintenance | System | Remote Settings) is disabled, and when I checked the status of Port 3389 at https://www.grc.com/port_3389.htm by clicking Probe THIS Port my port status was reported as Stealth (see my image in post # 12).  I assume that means I'm currently protected from the vulnerability described in CVE-2019-0708. 

 

Let me remind you that there is most likely a Internet appliance that sits in between the PC using the Browser performing the test and GRC.Com that can affect that outcome.  It must be taken into account.

 

Link to post
Share on other sites

On 5/24/2019 at 9:39 AM, lmacri said:

...Given all the problems Vista SP2 users have reported after installing the April / May 2019 Win Server 2008 updates, I've decided to hold off installing KB4403730 (if required) and KB4499180 until I'm sure it's safe to do so....I'm still wondering, though, if applying the recommended Win Server 2008 patch(es) would provide additional protection from exploits that could be designed to attack other vulnerabilities in Remote Desktop / Terminal Services...

32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1-1.0.365

How will you ever be "sure it's safe to do so"? The "problems" I have seen reported involve security software that no longer supports Vista (notably Avast 18.8) and VMware. Malwarebytes 3.5.1 is not affected, but I suppose your "maintenance mode" version of Norton Security might conceivably be affected. The number of Norton users who are still running Vista and have installed the latest Windows updates appears to be approximately zero, so the world may never know unless you take the plunge. Good luck!

Link to post
Share on other sites

1 hour ago, Abzyx said:

...I suppose your "maintenance mode" version of Norton Security might conceivably be affected. The number of Norton users who are still running Vista and have installed the latest Windows updates appears to be approximately zero, so the world may never know unless you take the plunge. Good luck!

Hi Abzyx:

Catalin Cimpanu's 26-May-2019 ZDNet article Intense Scanning Activity Detected for BlueKeep RDP Flaw notes that many antivirus manufacturers have already developed exploits for this CVE-2019-0708 vulnerability "which they intend to keep private".  Symantec released an Intrusion Prevention (IPS) definition (v20190522.061) for Norton on May 22, 2019 that adds protection for this vulnerability - see the details of Symantec's Security Update 2032  - and the image below shows my Norton Security v22.15.2.22 received this IPS definition update that same day.

1081659919_NSv22_15_2IPSDefSetv20190522_061CVE-2019-070822May2019.png.b667ac486736c681d07fe4f96e2a86d2.png


The fact that Norton v22.15.2.22 is in "maintenance mode" for Win XP and Vista as described <here> only means that product updates and feature changes will be limited going forward.  I'm still getting all the virus and protection definition updates as other Norton users with Win 7 and higher, and as I noted in my 17-Apr-2019 reply to you in the BleepingComputer thread Hardening Vista- Are These Utilities All Legit?, "Norton v22.x products installed on Win XP and Vista machines have received three product updates [v22.15.0.88 (rel. Aug 2018); v22.15.1.8 (rel. Sept 2018); v22.15.2.22 (rel. Apr 2019)]" since Norton entered "maintenance mode" in June 2018 for these unsupported operating systems.
-------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1-1.0.365

Link to post
Share on other sites

Hi Imacri:

If I understand you correctly, Norton is so great that it doesn't really matter if your OS hasn't been patched for more than 2 years and your browser hasn't been patched for nearly a year now? Good luck with that theory! Meanwhile, Microsoft has just admitted what some of us have long known: That Windows 6.0 patches are still applicable to Vista.

Link to post
Share on other sites

  • 1 month later...
1 hour ago, TheThornWithin said:

Of course, the smart thing would be to

Update to latest Windows version

and this entire thread would be irrelevant.

Microsoft needs to brick all computers connected to the internet that are running XP/Vista/7/8.

I'm not so sure about that.  Windows 10 has had its share of vulnerabilities lately, including some that didn't even impact 7/8 (or even XP for that matter), not to mention the fact that much of what can be done to immunize Windows 7 and earlier Windows versions against such exploits by disabling certain services, protocols and components can't be done in Windows 10 meaning that even though my Windows 7 system was immune from day 0 and prior to this and any other vulnerability exploiting the Remote Desktop protocol (and SMB; the component exploited by the EternalBlue exploit that was used to spread WannaCry, not to mention every component of file and printer sharing along with a slew of additional extraneous features/components), I would not be able to do the same to a system running Windows 10 so I'd be at Microsoft's mercy to discover any vulnerabilities and patch them before exploits for them are found in the wild.  I like my odds much better with 7 given that fact since I don't have to wait on Microsoft to even be aware of such exploits/vulnerabilities, much less patch them.  That said, most aren't quite as paranoid or knowledgeable as I may be with regards to Windows' internals, so I don't advise everyone to stick with 7.  I still see 10 as a much greater risk to privacy and security though, given all its built in new 'features' for enabling telemetry collection and advertising, as I have no doubt they leave it with a much larger area of attack for potential remote vulnerabilities and exploits.

Edited by AdvancedSetup
Restored normal font size
Link to post
Share on other sites

1 hour ago, exile360 said:

I'm not so sure about that.  Windows 10 has had its share of vulnerabilities lately, including some that didn't even impact 7/8 (or even XP for that matter)...

I should also mention that a recent Win 10 update has a bug that could affect "always on" VPN services that require the Remote Access Connection Manager (RASMAN) to run in the background.  See the 07-Jul-2019 Digital Technology article at https://www.digitaltrends.com/computing/windows-10-vpn-bug/ for more info.  Kudos to bjm_ for posting about this bug <here> in the Norton Tech Outpost.

Many Windows users permanently disabled any service related to Remote Desktop / Terminal Services in May/June 2019 after the Remote Desktop Protocol (RDP) vulnerability CVE-2019-0708 being discussed in this thread was announced.  I posted a question today <here> in the Norton forum asking if those users might have inadvertently created a problem with Norton Secure VPN and/or other VPN services by disabling those services but haven't received an answer yet.
-------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1-1.0.365

Edited by lmacri
Link to post
Share on other sites

Thanks for the info Imacri.  I wasn't aware of this issue.  They must have made changes to the way that RDP works in 10 for it to impact third party applications like that as I've never seen such issues with any other version of Windows and I've been disabling RDP since way back in the XP days.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.