Threat Research

CVE-2019-0708 – Remote Desktop Protocol and Remote Code Execution #Bluekeep

By FortiGuard SE Team | May 23, 2019

On May 14th, 2019, Microsoft released their usual set of updates, referred to within the industry as “Patch Tuesday.” At first glance, the inclusion of CVE-2019-0708 appeared to be similar to all the other updates released on that day—it included a writeup containing an overview of the update, including the Impact (Remote Code Execution), Severity (Critical), and Platforms (multiple) affected.

However, what piqued the curiosity of the security community was that the platforms listed as affected by this vulnerability were products considered to be no longer supported by Microsoft:

Windows XP SP3 x86, Windows XP Professional x64 Edition SP2, Windows XP Embedded SP3 x86, Windows Server 2003 SP2 x86, and Windows Server 2003 x64 Edition SP2.

In fact, Windows XP support ended on April 8, 2014, and Windows Server 2003 support ended on July 14, 2015.

In addition, according to the verbiage provided by Microsoft, the vulnerability this patch addressed is “pre-authentication and requires no user interaction,” which, according to Microsoft, makes the vulnerability “wormable”—meaning it could spread from one vulnerable computer to the next, similar to 2017’s WannaCry malware:

This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

While this vulnerability seems to only target retired systems, the fact is that there are still tens of millions of legacy machines running Windows XP and Windows Server 2003, many of which are also internet-facing. For example, Windows XP—released in 2001—still has a 3.57% market share—which means that even though this vulnerability targets, among others, an operating system that is 18 years old, it still not only poses a tremendous risk for the various entities using these platforms, but for the public as a whole due to its potential for wormability and the fact that many of these devices may still be located in critical locations.

Updating and patching machines are not simple tasks for many organizations for a variety of reasons. Many may still be running these legacy systems due to inefficiencies, manpower limitations, or even simple carelessness. However, many organizations are still running Windows XP, Windows Server 2003, or any of the other affected operating systems because they have important reasons for not having replaced or updated them. For example, they may be running critical services [OT systems, for example] that can’t be easily taken offline.

And to add an additional layer of complexity, there are also likely to be an alarming number of systems administrators who may not even be aware that some of these machines even exist on their networks due to the prevalence of rogue and undocumented devices present on many networks, or simply because they are embedded in testing labs, or being used as development machines or sensors, etc., where they can be easily forgotten or overlooked.

But regardless of where or why, as we’ve seen before—most notably where the Remote Desktop Protocol (RDP) was used to install the SamSam ransomware, as well as other attacks using brute force or stolen credentials—this latest disclosure is a major cause of concern because it requires no user interaction.

Mitigation

The FortiGuard Labs team recommends that customers immediately apply the latest patches from Microsoft for CVE-2019-0708 on any affected machines, and where possible, also disable RDP completely.

FortiGuard Labs has also released an IPS signature, “MS.Windows.RDP.CVE-2019-0708.Remote.Code.Execution” that addresses this latest disclosure from Microsoft in IPS definitions 14.618.

We are also continuing to closely monitor this event for any developments, and will provide updates to this blog if relevant.

Finally, as part of our membership in the Cyber Threat Alliance, details of this issue were shared in real time with other Alliance members to help create better protections for customers. We would like to extend our sincerest appreciation to all of the members of the Cyber Threat Alliance for their collaborative effort regarding this latest disclosure.

 

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. Read about the FortiGuard Security Rating Service, which provides security audits and best practices.