15 MAY 2019

Microsoft has issued a patch for a vulnerability in its Remote Desktop Services that can be exploited remotely, via RDP, without authentication and used to run arbitrary code:

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

It doesn’t get much worse than that.

Fixes are included in for versions of Windows 7 and Windows 2008 (see the advisory for the full list) as part of Microsoft’s most recent Patch Tuesday. Patches have also been made available for versions of Windows XP and Windows 2003 (see the customer guidance for the full list). For all the details about this month’s patch Tuesday, including some other critical fixes, read the SophosLabs analysis of May’s Patch Tuesday.

The flaw is considered ‘wormable’, meaning that it has the potential to be used in malware that spreads by itself across and between networks.

Millions of computer networks around the world have RDP exposed to the outside world so that they can be managed not only via their local network but also across the internet. Sometimes, that external access was enabled on purpose; sometimes the exposure is an unwanted mistake – but in either case, a network where RDP can be reached from the outside is a potential gateway for an automated attack to reach a new victim.

Given the number of targets, and the potential for an explosive, exponential spread, we suggest you treat it as a matter of when, not if, the patch is reverse engineered and an exploit created, so you should update immediately. For more guidance, check out this article’s What to do? section.

The fact that Microsoft has taken the exceptional step of issuing patches for Windows XP and Windows 2003, is instructive.

Given the potential impact to customers and their businesses, we made the decision to make security updates available for platforms that are no longer in mainstream support … We recommend that customers running one of these operating systems download and install the update as soon as possible.

In the five years since the end-of-life date for Windows XP and 2003, Microsoft has issued countless patches for critical issues in its family of operating systems that it didn’t back-port to its retired products. It’s only broken that support embargo on four occasions, including this one, most notably during the WannaCry outbreak of 2017.

WannaCry was a ransomware worm that spread around the world in a day by exploiting a flaw in version one of Microsoft’s SMB software. The worm had no trouble finding hundreds of thousands of Windows systems to infect despite the age of the software and a patch having been issued the previous month.

As if to demonstrate our continued, collective failure to learn the lesson about the importance of patching, WannaCry was followed a little over a month later by NotPetya, another global ransomware outbreak using the same exploit.

What to do

Whatever else you do, patch.

If, for some reason, you can’t patch immediately, Microsoft offers the following mitigations and workarounds:

  • Enable Network Level Authentication (NLA). This forces a user to authenticate before RDP is exposed to the attacker. Not all affected systems support NLA.
  • Turn off RDP. If RDP isn’t running, the vulnerability can’t be exploited. As obvious as this seems, some organisations are unable to work without RDP, and some are running it without realising it.
  • Block TCP port 3389. Blocking port 3389 (and any other ports you’ve assigned to RDP) at the perimeter will prevent an attack from entering your network but can’t stop an attack from originating inside your network.

(Watch directly on YouTube if the video won’t play here.)