Threat response: Remote Desktop Services RCE
Last Tuesday, 14th of May, information regarding a new vulnerability in Microsoft Remote Desktop Services (RDS) was published. This concerns a vulnerability that allows an attacker to perform remote code execution (RCE) without user interaction on a system that offers RDS.
This vulnerability was assigned the number CVE-2019-0708.
The vulnerability was discovered in a component of RDS that is responsible for handling incoming Remote Desktop Protocol (RDP) connections. This makes it possible for an attacker to gain access to the target system by sending specially crafted requests to the target, even before authentication has been performed. If successfully exploited, this vulnerability allows an attacker to execute code remotely on the target system. No user interaction is required, and the attacker gains access to the target system with full user rights, allowing them to perform actions and make changes.
An attack on this vulnerability can be attempted by an attacker who is able to connect to the RDS service via the network. By sending a specially crafted request, the attacker can attempt to abuse the way in which the RDS service handles incoming RDP requests.
Microsoft considers this exploit to be ‘wormable’. This means that a given malware that is able to exploit this vulnerability, is able to spread itself from system to system automatically.
The following CVE details have been assigned to this vulnerability:
CVE-2019-0708; Remote Desktop Services Remote Code Execution Vulnerability
CVSS base score: 9.8 (critical)
Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Microsoft has indicated that, at the time of writing, no indications of active exploiting attempts have been observed. The exact details of this vulnerability have not yet been disclosed.
Northwave assesses the severity of this vulnerability as medium. The potential impact is high, but currently no active exploits are known to Northwave. Therefore, we cannot estimate the likeliness of such exploit attempts.
We recommend verifying if vulnerable versions of Microsoft Windows are present within your organization. The list below contains the versions that are affected by this vulnerability:
- Windows XP (outside active support)
- Windows Server 2003 (outside active support)
- Windows Vista (outside active support)
- Windows 7
- Windows Server 2008
- Windows Server 2008 R2
More recent versions of the Microsoft Windows operating system, including Windows 8, Windows 10 and Windows Server 2012 or newer versions are not affected by this vulnerability.
Microsoft has released patches for the vulnerable versions of Microsoft Windows. This patch is included in the monthly security rollup of May 2019 and is available for download as a separate security patch. Systems that are running Windows 7 or newer will receive the patch automatically through Windows Update.  The affected versions of Windows include versions that are not actively supported anymore. However, Microsoft has released security updates for Windows Server 2003 and Windows XP as well under number KB4500331. 
Northwave advises to install the published updates as soon as possible, even when vulnerable systems are not directly connected to the internet.
Besides updating the software, Northwave recommends restricting direct access to Remote Desktop Services as much as possible using a firewall and disabling the RDS service on systems where the function is not used. This reduces the potential attack surface. For systems that require Remote Desktop Services to be enabled, it is strongly recommended, besides updating the software, to enable Network Level Authentication (NLA) . This is a mitigating action that will enforce successful user authentication before a connection to the target system can be established.
If you need additional information you can call us by phone or send us an email.
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)
 An overview of the available patches for Windows versions that are currently supported can be found on the following page: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
: Separate downloads have been made available for Windows XP and Windows Server 2003 on the following page:https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708
: For more information regarding enabling NLA, please refer to the following Microsoft support page:https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713(v=ws.11)
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.