Jump to content
AdvancedSetup

Prevent a worm by updating Remote Desktop Services

Recommended Posts

Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)
https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

MSRC TeamMay 14, 2019

Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware. 

Now that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows. 

Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected.  

Out-of-support systems include Windows 2003 and Windows XP. If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. Even so, we are making fixes available for these out-of-support versions of Windows in KB4500705

Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected. Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows.  

There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate. 

It is for these reasons that we strongly advise that all affected systems – irrespective of whether NLA is enabled or not – should be updated as soon as possible.  

Resources
Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008
Links to downloads for Windows 2003 and Windows XP  

Simon PopeDirector of Incident ResponseMicrosoft Security Response Center (MSRC)

Share this post


Link to post
Share on other sites

Thanks for the info.  I remove, disable, break and cripple every aspect of RDP (and all other non-essential internet protocols for all of my network connections) so my systems remain immune to such attacks, but I'll obviously still be patching nonetheless in case there's anything I missed.

Share this post


Link to post
Share on other sites

Amazingly, Microsoft even patched for 2003/XP - Not that they should be on XP but I know we still have some of our own users on XP to this day

Sometimes, it's just a DLL on the system that allows a hack to work.

 

Share this post


Link to post
Share on other sites

Thanx Ron.

If it is a vulnerability on XP and Windows 7, Windows Vista is not affected ?

 

Share this post


Link to post
Share on other sites

It affects many different versions of Windows. 8, and 10 it says are not affected. I'd have to research Vista

 

Share this post


Link to post
Share on other sites

Please note that when you read the tech community blog or twitter it reads like only server systems that have RDSH role active are vulnerable. The matter that there is a patch for client OS prove this wrong. 

Share this post


Link to post
Share on other sites

Regarding Vista: there are still patches for Server 2008 (6.0) most of them could also be applied out of band on Vista (Client - out of support). Same goes to Server 2012 and Windows 8.0 (Client - out of support)

image.thumb.png.c9b92deea810ded747cd6212dfdea0f6.png

Share this post


Link to post
Share on other sites

p.s. What would be interesting how and all these embedded Windows version are affected as most of them use RDP incoming too. There is no note about this aswell.

For Wannacry there have been patches for these aswell.

Share this post


Link to post
Share on other sites
1 hour ago, alQamar said:

Regarding Vista: there are still patches for Server 2008 (6.0) most of them could also be applied out of band on Vista (Client - out of support). Same goes to Server 2012 and Windows 8.0 (Client - out of support)...

Please note that a few Vista SP2 users like Pim, dinosaur, etc. who tried to install the May 2019 Patch Tuesday Windows Server 2008 updates KB4499149 (Monthly Rollup ) or KB4499180 (Security Only) have reported issues like failed updates and BSODs in the AskWoody.com thread MS-DEFCON 3: Get Windows XP, Win7 and Associated Servers Patched.  Woody is currently suggesting <here> that "If you’re running Vista, hang tight. Looks like Microsoft forgot to document that one."

I'd advise that Vista SP2 users monitor that AskWoody thread for further feedback or at least make sure they create a full system image with imaging software like Macrium Reflect Free before applying these May 2019 Windows Server 2008 updates just in case they cause problems.  I've decided to wait a bit longer to see if Microsoft eventually revises the MS TechNet article Prevent a Worm by Updating Remote Desktop Services (CVE-2019-0708) and includes links in that article to a security patch designed specifically for Vista SP2.  Microsoft posted five special out-of-band security updates for NSA-leaked exploits for Vista SP2 on the Microsoft Update Catalog after this OS reached its end of extended support (see the MS Answers thread More Shadow Brokers Exploits Patched June 2017 for Win XP and Vista) and I'm hoping they'll release a similar out-of-band patch for this Remote Desktop Services (known as Terminal Services in older OSs like Vista SP2) vulnerability in the next few days.

In the mean time I've gone to Control Panel | System and Maintenance | System | Remote Settings and confirmed that Remote Assistance is disabled on my Vista SP2 system.

1327333531_VistaSP2SystemPropertiesRemoteAssistanceDisabledCVE-2019-070817May2019.png.4f51c727025b60bdbeb8ca70e737e05d.png
-------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1-1.0.365

Share this post


Link to post
Share on other sites

If anyone is worried, and they do NOT use RDP,  they can specifically block TCP/UDP Port 3389 on a SOHO Router and in the Windows Firewall.

This will prevent RDP and any Internet Worm ingress w/o modifications to the OS.

Share this post


Link to post
Share on other sites
On 5/17/2019 at 12:26 PM, lmacri said:

Please note that a few Vista SP2 users like Pim, dinosaur, etc. who tried to install the May 2019 Patch Tuesday Windows Server 2008 updates KB4499149 (Monthly Rollup ) or KB4499180 (Security Only) have reported issues like failed updates and BSODs in the AskWoody.com thread MS-DEFCON 3: Get Windows XP, Win7 and Associated Servers Patched.  Woody is currently suggesting <here> that "If you’re running Vista, hang tight. Looks like Microsoft forgot to document that one."...

...In the mean time I've gone to Control Panel | System and Maintenance | System | Remote Settings and confirmed that Remote Assistance is disabled on my Vista SP2 system.

Further to my previous post # 9, has anyone heard if a patch specifically designed for Vista SP2 has been released for the Remote Desktop / Terminal Services vulnerability?  I've been monitoring the MS TechNet article Prevent a Worm by Updating Remote Desktop Services (CVE-2019-0708) but it hasn't been revised since 14-May-2019.

As of last month's April 2019 Patch Tuesday the Win Server 2008 patches have changed the build number of Vista SP2 from build number from 6.0.6002.xxxxx (Build 2) to 6.0.6003.xxxxx (Build 3). I don't know if Win Server 2008 updates KB4499149 (the Monthly Rollup) and KB4499180 (Security Only update) both increase the build number, but this is a deliberate change by Microsoft – see the support article Build Number Changing to 6003 in Windows Server 2008 – and some users posting in Jody Thorton’s MSFN thread Server 2008 Updates on Windows Vista are speculating that this change to build number 6.0.6003.xxxxx is the cause of the BSODs and software errors on their Vista SP2 system.

Regarding CVE-2019-0708, GoneForPlaid has posted a helpful hint in reply # 1717774 of the AskWoody.com thread There’s Now a Freely Available Proof of Concept Exploit for the “Wormable” WinXP/Win7 Bug.  Go to Steve Gibson's Gibson Research Corporation site at https://www.grc.com/port_3389.htm and click the Probe THIS Port button.  If the status of Port 3389 is Stealth (best) or Closed (good) as shown below then your system is supposedly configured to block an attack from this Remote Desktop / Terminal Services exploit. Definitions for the port status (Stealth / Blocked / Open) are available at https://www.grc.com/su/portstatusinfo.htm.

37687722_GRCShieldsUPRDSTerminalServicesPort3389ShieldedNEW21May2019.png.db3e8387797f7b2bbbac031ec9020c83.png

-------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1-1.0.365

Share this post


Link to post
Share on other sites

Another simple thing you can do without messing with any of Windows' default settings or 'breaking' anything as I do is configuring your network connection to the 'Public' profile.  Do not do this if you like to share any files and/or printers or stream content to/from other devices on your network, but if you just connect your PC to the internet through your router/modem then there's no reason not to use the Public profile as it is the most secure.  It basically tells Windows to treat your internet connection as though you were connecting to the internet in a public place such as an internet cafe or hotel where you want to restrict access from other devices on the network to your system (very important since you never know who may be connected to the same connection as you and any of them might also be infected with a worm or other network propagating malware).  Since here at home all I have are my PCs which I connect directly to the web through my ISP provided modem/router device and I don't do any network file or printer sharing, I always configure my network connections to use the Public profile.  It locks down many network settings and components and is far more secure than the Home and Work connection options.

Details on how to configure this setting can be found in the following articles:

Windows 7
Windows 10

Additional info on the specific differences between profiles can be found in the following article:

What’s the Difference Between Private and Public Networks in Windows?

Share this post


Link to post
Share on other sites
12 hours ago, lmacri said:

Further to my previous post # 9, has anyone heard if a patch specifically designed for Vista SP2 has been released for the Remote Desktop / Terminal Services vulnerability?  I've been monitoring the MS TechNet article Prevent a Worm by Updating Remote Desktop Services (CVE-2019-0708) but it hasn't been revised since 14-May-2019....

For Vista SP2 users, please note that MS support article Customer Guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability: May 14, 2019 was modified on 23-May-2019 and now recommends that Vista SP2 users patch this vulnerability with the Win Server 2008 KB4499180 (May 2019 Security Only) update.  Kudos to Vistaar for posting that information <here> in the Vista Forums. The release notes for KB4499180 at https://support.microsoft.com/en-us/help/4499180/windows-server-2008-update-kb4499180 imply that KB4403730 (the latest Servicing Stack Update of April 2019) should be applied before KB44991180.

I've posted further details in reply # 1736147 of the AskWoody.com thread MS-DEFCON 3: Get Windows XP, Win7 and Associated Servers Patched.  Given all the problems Vista SP2 users have reported after installing the April / May 2019 Win Server 2008 updates, I've decided to hold off installing KB4403730 (if required) and KB4499180 until I'm sure it's safe to do so.

10 hours ago, AdvancedSetup said:

For a home system why not just disable the port as suggested by @David H. Lipman

I’ve ensured that Remote Assistance (Control Panel | System and Maintenance | System | Remote Settings) is disabled, and when I checked the status of Port 3389 at https://www.grc.com/port_3389.htm by clicking Probe THIS Port my port status was reported as Stealth (see my image in post # 12).  I assume that means I'm currently protected from the vulnerability described in CVE-2019-0708.  I'm still wondering, though, if applying the recommended Win Server 2008 patch(es) would provide additional protection from exploits that could be designed to attack other vulnerabilities in  Remote Desktop / Terminal Services.
-------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1-1.0.365

Share this post


Link to post
Share on other sites

Yes, disabling remote assistance should be sufficient.  You can optionally take it a step further by disabling the services associated with Remote Desktop.  There are several of them depending on your version of Windows and I don't personally have the full list of services for Windows 10 yet as I've not configured a Windows 10 system yet but if it's like all previous Windows versions then there should be a handful of them at least.  Theoretically that should not be necessary though, and disabling the setting as you did should be sufficient but killing the associated services ensures that it can't be easily enabled, especially by anyone remote who doesn't already have administrative access to the system.  Similarly there is the Workstation service which is associated with the SMB protocol; the very protocol exploited by EternalBlue/WannaCry.

Share this post


Link to post
Share on other sites
1 hour ago, lmacri said:

I’ve ensured that Remote Assistance (Control Panel | System and Maintenance | System | Remote Settings) is disabled, and when I checked the status of Port 3389 at https://www.grc.com/port_3389.htm by clicking Probe THIS Port my port status was reported as Stealth (see my image in post # 12).  I assume that means I'm currently protected from the vulnerability described in CVE-2019-0708. 

 

Let me remind you that there is most likely a Internet appliance that sits in between the PC using the Browser performing the test and GRC.Com that can affect that outcome.  It must be taken into account.

 

Share this post


Link to post
Share on other sites
On 5/24/2019 at 9:39 AM, lmacri said:

...Given all the problems Vista SP2 users have reported after installing the April / May 2019 Win Server 2008 updates, I've decided to hold off installing KB4403730 (if required) and KB4499180 until I'm sure it's safe to do so....I'm still wondering, though, if applying the recommended Win Server 2008 patch(es) would provide additional protection from exploits that could be designed to attack other vulnerabilities in Remote Desktop / Terminal Services...

32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1-1.0.365

How will you ever be "sure it's safe to do so"? The "problems" I have seen reported involve security software that no longer supports Vista (notably Avast 18.8) and VMware. Malwarebytes 3.5.1 is not affected, but I suppose your "maintenance mode" version of Norton Security might conceivably be affected. The number of Norton users who are still running Vista and have installed the latest Windows updates appears to be approximately zero, so the world may never know unless you take the plunge. Good luck!

Share this post


Link to post
Share on other sites
1 hour ago, Abzyx said:

...I suppose your "maintenance mode" version of Norton Security might conceivably be affected. The number of Norton users who are still running Vista and have installed the latest Windows updates appears to be approximately zero, so the world may never know unless you take the plunge. Good luck!

Hi Abzyx:

Catalin Cimpanu's 26-May-2019 ZDNet article Intense Scanning Activity Detected for BlueKeep RDP Flaw notes that many antivirus manufacturers have already developed exploits for this CVE-2019-0708 vulnerability "which they intend to keep private".  Symantec released an Intrusion Prevention (IPS) definition (v20190522.061) for Norton on May 22, 2019 that adds protection for this vulnerability - see the details of Symantec's Security Update 2032  - and the image below shows my Norton Security v22.15.2.22 received this IPS definition update that same day.

1081659919_NSv22_15_2IPSDefSetv20190522_061CVE-2019-070822May2019.png.b667ac486736c681d07fe4f96e2a86d2.png


The fact that Norton v22.15.2.22 is in "maintenance mode" for Win XP and Vista as described <here> only means that product updates and feature changes will be limited going forward.  I'm still getting all the virus and protection definition updates as other Norton users with Win 7 and higher, and as I noted in my 17-Apr-2019 reply to you in the BleepingComputer thread Hardening Vista- Are These Utilities All Legit?, "Norton v22.x products installed on Win XP and Vista machines have received three product updates [v22.15.0.88 (rel. Aug 2018); v22.15.1.8 (rel. Sept 2018); v22.15.2.22 (rel. Apr 2019)]" since Norton entered "maintenance mode" in June 2018 for these unsupported operating systems.
-------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1-1.0.365

Share this post


Link to post
Share on other sites

Hi Imacri:

If I understand you correctly, Norton is so great that it doesn't really matter if your OS hasn't been patched for more than 2 years and your browser hasn't been patched for nearly a year now? Good luck with that theory! Meanwhile, Microsoft has just admitted what some of us have long known: That Windows 6.0 patches are still applicable to Vista.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.