19 May 2019
Microsoft released (1) a patch for the critical Remote Code Execution vulnerability CVE-2019-0708 (2) in Remote Desktop Services on May 14th, 2019. The vulnerability is wormable. A malware that exploits the vulnerability can spread from vulnerable computer to vulnerable computer in a way WannaCry did in 2017. Fortunately, only Windows XP, Windows 2003 Server, Windows 7 and Windows 2008 Server are impacted.
How big is the problem?
A Shodan search shows that about 30% of the Windows 2008 server systems directly connected to the internet are impacted. The Windows 2003 problem is much larger although Microsoft stopped the extended support for this version in July 2015.
How to mitigate?
Since CVE-2019-0708 is a remote code execution vulnerability patches or other mitigating measures should be applied directly.
Microsoft provided patches with the May 2019 patch set, even for Windows 2003 Server and Windows XP, to prevent similar effects to that of WannaCry on the global economy. As an immediate step, Microsoft recommends deactivating RDP access to the impacted systems.
Is the world a safer place now?
Far from it. A brief analysis shows that many of the impacted systems provide applications based on a WAMP technology stack (Windows, Apache, MySQL, PHP). And in many cases remote code execution vulnerabilities in Apache or PHP are not patched. With this, the overall security level remains as bad as before Microsoft released the patches.
Without vulnerability and application life cycle management such problems cannot be solved. Apache, MySQL and PHP can be operated on top of an outdated Windows OS, but critical vulnerabilities in these components must be patched directly to avoid a large financial impact in the worst case.
The Equifax data breach from 2017 is just one example. In this case an unpatched remote code execution vulnerability in the Apache Struts framework opened the door for the attackers. Equifax (3) estimates that it has spent $1.4 billion so far to recover from the breach.
Have a great week.
- MSRC Team. Prevent a worm by updating Remote Desktop Services (CVE-2019-0708) – MSRC [Internet]. 2019 [cited 2019 May 19]. Available from: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
- NIST NVD. NVD – CVE-2019-0708 [Internet]. 2019 [cited 2019 May 19]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2019-0708
- Olenick D. Equifax data breach recovery costs pass $1 billion [Internet]. SC Media. 2019 [cited 2019 May 19]. Available from: https://www.scmagazine.com/home/security-news/data-breach/equifax-data-breach-recovery-costs-pass-1-billion/