By Keren Pollack, on June 10th, 2019

Wormable RDP vulnerability gave the wrongly assumed safe RDP protocol a reality check. However, the truth emerged only a few months ago when Check Point discovered a major vulnerability in the RDP  clipboard. Back then, Microsoft decided not to claim responsibility for the protocol’s flaw, but this time, patching is highly encouraged due to the potential damage the worm can cause.

 

The recent patch, published for BlueKeep vulnerability (CVE-2019-0708), is mandatory for solving a critical vulnerability in the following OS:

 

  • Windows 2003
  • Windows XP
  • Windows 7
  • Windows Server 2008
  • Windows Server 2008 R2

 

Experts estimate the potential damage that could be caused by BlueKeep might be as painful as that caused by the SMBV1 worm WannaCry. “The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computers to vulnerable computers in a similar way as the WannaCry malware that spread across the globe in 2017,” Microsoft explained the danger.
This is probably why Microsoft did an unusual move and patched this vulnerability for Windows XP and Windows 2003, despite the fact that they had reached ‘End of Support’ long ago.

 

Why is BlueKeep so critical?

 

  1. There’s no need for any authentication in order to execute arbitrary code and take control of the targeted computer. Any remote attacker can attack your computer just by sending specially crafted requests to the device’s RDS via the RDP with zero interaction with the user.
  2. An attacker can execute any arbitrary code once the targeted system is under his control.
  3. Being a ‘Wormable’ vulnerability, once a computer gets infected, the entire network can get infected really fast.

 

 

It is estimated that over 1 million computers are still vulnerable, having an open RDP to the internet, but still, haven’t been patched. Here’s what you need to do if fixing the flaw in your organization is not possible in the near future:

 

  • Disable RDP services if they are not necessary.
  • Block port 3390 using a firewall, or make it accessible only over a private VPN.
  • Enable Network Level Authentication (NLA) to prevent any unauthenticated attacker from exploiting this flaw.

 

How can you make sure you are resilient to RDP vulnerabilities?

Getting breached because of a forgotten machine that has an enabled RDP protocol, even though there’s really no use for it, is an absolute waste. Controlling RDP configurations in your entire IT network, making sure that it is configured in the most secure way with manual tools such as GPO is almost impossible and labor demanding. With CHS by CalCom, you can have complete control of your configurations, ensuring that your RDP’s are configured in the most secure fashion without damaging their functionality. CHS learning mode will save you lab testing and outages, and in a single action, you’ll be able to enforce the most secure policy that can be enforced without harming production. Don’t let your RDP be the smoking gun of your next breach, harden it with CHS.

 

https://blogs.quickheal.com/cve-2019-0708-critical-wormable-remote-code-execution-vulnerability-windows-rdp/

https://thehackernews.com/2019/05/bluekeep-rdp-vulnerability.html