Vulnerabilità CVE-2019-0708 – Remote Desktop Services Remote Code Execution Vulnerability

Il 14 maggio 2019 è stata resa nota una vulnerabilità dei Remote Desktop Services che permette l’esecuzione di codice remoto denominata MITRE – CVE-2019-0708:

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’.

Microsoft ha pubblicato a riguardo l’avviso di sicurezza CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability in cui vengono forniti ulteriori dettagli e resi disponibili gli aggiornamenti per i sistemi operativi che risultano vulnerabili ovvero Windows 7 / Windows Server 2008 / Windows Server 2008 R2 e precedenti (per quanto riguarda gli aggiornamenti dei sistemi fuori supporto Windows XP e Windows Server 2003 si veda la KB4500705 Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability: May 14, 2019)

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.

Tra le mitigazioni suggerite oltre ovviamente ad installare le correzioni e a disabilitare se non necessarie la pubblicazione dei Remote Desktop Services o l’abilitazione dei Remote Desktop Services inoltre abilitare l’utilizzo della Network Level Authentication (NLA):

Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2

You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.

Nel post Prevent a worm by updating Remote Desktop Services (CVE-2019-0708) del MSRC Team viene indicato che i sistemi Windows 8 e Windows 10 (quindi anche Windows Server 2016 e Windows Server 2019) non sono soggetti a questa vulnerabilità e vengono forniti ulteriori dettagli tra cui il fatto che sia tecnicamente possibile sfruttarla per realizzare un worm:

This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

 

Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected. Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows.”

 

 

There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.”

Intanto come era logico aspettarti hanno iniziato ad essere pubblicati dei PoC (Proof of Concept) per sfruttare tale vulnerabilità, si veda ad esempio la query https://github.com/search?q=CVE-2019-0708 su GitHub, quindi è importante installare rapidamente gli aggiornamenti su sistemi interessati.

A riguardo si vedano anche:

[Update 01]

Come riportato dal CERT-PA il 7/11/2019 nella news Scoperta campagna malevola che sfrutta la vulnerabilità BlueKeep il ricercatore di sicurezza Kevin Beaumont, ha rilevato una campagna che sfrutta la vulnerabilità CVE 2019-0708 conosciuta come BlueKeep.

Inoltre è stato rilasciato anche l’aggiornamento per i sistemi fuori supporto Windows XP, Windows Server 2003 e Windows Vista, tale aggiornamento è disponile tramite la KB4500705 Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability: May 14, 2019.