![[Securiday 2018] End User Protection](https://digitalys-mag.net/wp-content/uploads/2018/04/securiday18_conf.jpg)
![Détective Conan : les épisodes de l’histoire principale triées [part 1]](https://digitalys-mag.net/wp-content/uploads/2016/08/Meitantei.Conan_.full_.1913572.jpg)
![[Warning] Une faille critique dans tous les jeux Blizzard permettra aux Hackers de détourner des millions de PC](https://digitalys-mag.net/wp-content/uploads/2018/01/X1NH71Z11PTZ1508884994858.jpg)
CVE-2019-0708 RDP vulnerability megathread, aka BlueKeep.
Going to nickname it BlueKeep as it’s about as secure as the Red Keep in Game of Thrones, and often leads to a blue screen of death when exploited.
— Kevin Beaumont 🧝🏽♀️ (@GossiTheDog) May 14, 2019
Overview
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.
An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.
Affected systems
The critical RDS vulnerability impacts only older in-support versions of Windows (i.e. Windows 7, Windows Server 2008 R2, and Windows Server 2008), with security updates for the affected versions being available via the Microsoft Security Update Guide.
Out-of-support operating systems such as Windows XP and Windows 2003 are also affected.
Windows 8 and Windows 10 users are not impacted by the vulnerability because of the strengthened security provided with the latest Windows releases.
Resolution
- Mitigations
- The vulnerability can be partially mitigated by enabling Network Level Authentication (NLA) for Remote Desktop Services Connections on vulnerable systems.
- Workaround
- As a workaround, Microsoft has advised Windows Server users to block TCP port 3389 and enable Network Level Authentication to prevent any unauthenticated attacker from exploiting this Wormable flaw. Despite this, potential attackers could still abuse the RCE vulnerability if they already have the credentials needed to authenticate on a system where RDS is enabled.
- Patch
- Microsoft says it’s important that patches for this vulnerability are installed as soon as possible due to the fact that it can be exploited without authentication and without user interaction.
More details are available in the official advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
Link to the official blog: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
Patch! Patch Patch to avoid another Wanna-Cry!
