CVE-2019-0708 is a remote code execution vulnerability that exists in Remote Desktop Services, previously known as Terminal Services. Remote Desktop Protocol (RDP) provides a user with a graphical interface to connect to a remote computer over a network connection.
Successful exploitation of this vulnerability could allow an attacker to run malicious commands on a vulnerable server.
At this time the Masergy Threat Intelligence Team is not aware of any in-the-wild exploitation or public proof-of-concept exploits. We will continue to monitor the situation as it develops. We assess that it is highly likely that actors will pursue the development of exploits for this vulnerability.
To perform this exploit, an attacker sends a specially crafted connection request over RDP to the Remote Desktop Service which could then allow the attacker to execute malicious code on the target system, remove data, and create users with elevated permissions on the system.
Because this attack happens prior to authentication, and requires no user interaction to successfully execute, this exploit is considered wormable (able to be spread throughout a network).
We recommend the following actions be taken:
- Immediately apply Microsoft’s May 14th, 2019 security patch on affected systems, after appropriate testing. If you are unable to update, use Microsoft provided guidance for mitigating workarounds in their advisory.
- Disable Remote Desktop Services if they are not required
- If possible, ensure externally accessible Remote Desktop Services are under additional protective measures such as a VPN.
Microsoft has made patches available for download, for more information see Microsoft’s advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
- Remote code execution vulnerability existing in Remote Desktop Services.
- Windows XP
- Windows 2003
- Windows 7
- Windows Server 2008
- Windows Server 2008 R2