RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708


#1

RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708 (May 21, 2019)

The Remote Code Execution (RCE) vulnerability in Microsoft’s Remote Desktop Services, registered as “CVE-2019-0708,” now has Proof-of-Concept (POC) code associated to it. The vulnerability can be exploited by an actor connecting to the target via Remote Desktop Protocol (RDP) and sending custom-crafted requests. The vulnerability affected multiple Windows operating systems including: Windows 2003, Windows XP, Windows 7, Windows Server 2008, and Windows Server 2008 R2. CVE-2019-0708 is wormable vulnerability that could be utilized to spread to other systems, similar to the global “WannaCry” ransomware campaign that took place in March 2017.

Recommendation: Microsoft issued a fix for CVE-2019-0708 on May 5, 2019 and the security advisory can be found here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708. our company should have policies in place in regards to maintaining server software in such a way that new security updates are applied as soon as possible. Threat actors will often use vulnerabilities that have already been issued patches because information and proof-of-concept code of an exploit sometimes become available on public sources once a patch has been issued. Actors of all levels of sophistication are known to exploit such vulnerabilities because as this story shows, many users and administrators do not apply security updates.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.