Critical RCE vulnerability of EternalBlue level detected in Windows OS
It became known about the critical RCE vulnerability in RDS Remote Desktop Services (on earlier operating systems - TS Terminal Services) in Windows OS (CVE-2019-0708), which, if successfully used, allows an unauthenticated attacker to remotely execute arbitrary code on the system under attack.
According to information provided by Microsoft, for successful operation it is only necessary to have network access to a host or server with a vulnerable version of the Windows operating system. Thus, if the system service is published on the perimeter, the vulnerability can be exploited directly from the Internet, without an additional delivery method. Recommendations for protective measures under the cut.
At the moment, the vulnerability is relevant for several dozen organizations in Russia and more than 2 million organizations in the world, and the potential damage from a delay in prompt response and protective measures will be comparable to the damage caused by the vulnerability in the protocol SMB CVE-2017-0144 (EternalBlue).
To exploit this vulnerability, an attacker just needs to send a specially crafted request to the remote desktop service of the target systems using RDP (the RDP protocol itself is not vulnerable ).
It is important to note that any malware that uses this vulnerability can spread from one vulnerable computer to another, similar to the WannaCry ransomware spread around the world in 2017.
Affected Windows OS Versions:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation
Windows XP SP3 x86
Windows XP Professional x64 Edition SP2
Windows XP Embedded SP3 x86
Windows Server 2003 SP2 x86
Windows Server 2003 x64 Edition SP2
Recommended quickly:
Possible additional compensatory measures:
According to information provided by Microsoft, for successful operation it is only necessary to have network access to a host or server with a vulnerable version of the Windows operating system. Thus, if the system service is published on the perimeter, the vulnerability can be exploited directly from the Internet, without an additional delivery method. Recommendations for protective measures under the cut.
At the moment, the vulnerability is relevant for several dozen organizations in Russia and more than 2 million organizations in the world, and the potential damage from a delay in prompt response and protective measures will be comparable to the damage caused by the vulnerability in the protocol SMB CVE-2017-0144 (EternalBlue).
To exploit this vulnerability, an attacker just needs to send a specially crafted request to the remote desktop service of the target systems using RDP (the RDP protocol itself is not vulnerable ).
It is important to note that any malware that uses this vulnerability can spread from one vulnerable computer to another, similar to the WannaCry ransomware spread around the world in 2017.
Affected Windows OS Versions:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation
Windows XP SP3 x86
Windows XP Professional x64 Edition SP2
Windows XP Embedded SP3 x86
Windows Server 2003 SP2 x86
Windows Server 2003 x64 Edition SP2
Recommended quickly:
- In the case of the previously published RDP service on the external perimeter for the vulnerable OS, close this access until the vulnerability is fixed.
- Install the necessary Windows OS updates, starting from the nodes on the perimeter and further for the entire infrastructure: patch for Windows 7, Windows 2008 , Windows XP, Windows 2003 .
Possible additional compensatory measures:
- Enable Network Level Authentication (NLA). However, vulnerable systems will still remain vulnerable to using remote code execution (RCE) if the attacker has valid credentials that can be used for successful authentication.
- Turn off the RDP protocol before updating and use alternative methods of accessing resources.