CVE-2019-0708 Critical Security Advice from edgescan
This blog explains CVE-2019-0708, how to identify if you are vulnerable and highlights how this type of threat was identified in the edgescan 2019 Vulnerability Stats Report.
What is it?
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP (Remote Desktop Protocol) and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
Should I be worried?
You may be vulnerable if you have unpatched Windows machines with RDP exposed. See below for more information on how to check if machines are unpatched and how to update them if needed.
What do I need to do?
Currently, there is no safe PoC for testing assets however, you should perform the following to see if your machines are vulnerable.
- For Windows 7 machines, the check is to verify that c:\windows\system32\Ntdll.dll is less than 6.1.7601.24441 – if it is, you may be vulnerable
- For Windows 2008 machines, the check is to verify that c:\windows\system32\Ntoskrnl.exe is less than 6.0.6003.20512 – if it is, you may be vulnerable
You should also check your patching as per for Windows 7 and Windows 2008:
here for Windows XP and Windows Server 2003:
Threats such as these were identified in the edgescan 2019 Vulnerability Stats Report where it was reported that 3.05% of assets have RDP Port 3389 exposed (based on a sample of over 250,000). While this vulnerability is not actively being exploited, without patching, the threat still exists.