Tag Archives: Remote desktop

Critical Wormable Vulnerability CVE-2019-0708 patched. Is the world a safer place now?

19 May 2019

Microsoft released (1) a patch for the critical Remote Code Execution vulnerability CVE-2019-0708 (2) in Remote Desktop Services on May 14th, 2019. The vulnerability is wormable. A malware that exploits the vulnerability can spread from vulnerable computer to vulnerable computer in a way WannaCry did in 2017. Fortunately, only Windows XP, Windows 2003 Server, Windows 7 and Windows 2008 Server are impacted.

How big is the problem?

A Shodan search shows that about 30% of the Windows 2008 server systems directly connected to the internet are impacted. The Windows 2003 problem is much larger although Microsoft stopped the extended support for this version in July 2015.

Table 1: CVE-2019-0708 Impacted Systems. Source: Shodan. Data generated: 5/19/2019 7:30 pm

How to mitigate?

Since CVE-2019-0708 is a remote code execution vulnerability patches or other mitigating measures should be applied directly.

Microsoft provided patches with the May 2019 patch set, even for Windows 2003 Server and Windows XP, to prevent similar effects to that of WannaCry on the global economy. As an immediate step, Microsoft recommends deactivating RDP access to the impacted systems.

Is the world a safer place now?

Far from it. A brief analysis shows that many of the impacted systems provide applications based on a WAMP technology stack (Windows, Apache, MySQL, PHP). And in many cases remote code execution vulnerabilities in Apache or PHP are not patched. With this, the overall security level remains as bad as before Microsoft released the patches.

Without vulnerability and application life cycle management such problems cannot be solved. Apache, MySQL and PHP can be operated on top of an outdated Windows OS, but critical vulnerabilities in these components must be patched directly to avoid a large financial impact in the worst case.

The Equifax data breach from 2017 is just one example. In this case an unpatched remote code execution vulnerability in the Apache Struts framework opened the door for the attackers. Equifax (3) estimates that it has spent $1.4 billion so far to recover from the breach.

Have a great week.


References

  1. MSRC Team. Prevent a worm by updating Remote Desktop Services (CVE-2019-0708) – MSRC [Internet]. 2019 [cited 2019 May 19]. Available from: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
  2. NIST NVD. NVD – CVE-2019-0708 [Internet]. 2019 [cited 2019 May 19]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2019-0708
  3. Olenick D. Equifax data breach recovery costs pass $1 billion [Internet]. SC Media. 2019 [cited 2019 May 19]. Available from: https://www.scmagazine.com/home/security-news/data-breach/equifax-data-breach-recovery-costs-pass-1-billion/
Advertisements

My favourite tools – Remote Desktop Services

7 August 2014

Remote desktop or terminal services are my favourite tools. When I started with this technology in 1997, it was bare necessity. We had to offer a 2 tier CAE application to about 500 engineers at 3 major sites in 30 buildings. The fat client graphics application was installed on Windows NT workstations. Data was stored in about 120 Oracle V7 databases hosted on 3 SUN database servers. It was a really hard job to keep the client workstations up-to-date, in particular because everyone was working with permanent admin rights. The nightmare of all system administrators!

Terminal Services put an end to this nightmare. Since users had no longer privileges on the servers the number of help desk calls declined dramatically. Release changes were implemented within an afternoon and new users were authorized to the application within minutes.

We gained back control, and my kids had their father back.

Today, terminal services are my preferred method to control access to the core business data. They are really low hanging fruits! This is the major use cases:

(1) Block access to the data  from all systems except of few terminal services. This will reduce the attack surface dramatically. The terminal services are the only trusted end-user devices in your network. Located in the data center they are in the best case completely under your control. It’s easier to keep the trust state of few servers as the trust state of hundreds of workstations located elsewhere inside or outside the company network.

(2) Grant access to the terminal services to authorized users only, based on the Need-to-Know principle. Review authorizations on a regular basis and make sure, that no user owns the permissions to change his own privileges or the trust state of the terminal services or any other infrastructure service.

Even if an application does not support user and role management the combination of (1) and (2) will increase the security of your information assets dramatically

(3) Terminal servers allow you to restrict users to well-defined applications and data sources with low effort. This could be implemented by configuring the firewalls on the terminal services. Just block any outgoing network connections except of infrastructure services and the applications. Users are prevented from creating unauthorized copies of the data.  In addition, the Need-to-Know principle is enforced because only the information essential to the users work is provided.

(4) It’s far easier to implement Two Factor Authorization for a limited number of terminal services than for thousands of endpoints. Targeted phishing attacks will no longer work because the password is no longer the single source for identification.

The transformation to terminal services controlled computing is very easy because you can set up the systems and applications in parallel to the existing application infrastructure. The final switch will have nearly no impact on the user’s daily work if the entire process is governed by change process.

Have you ever decided about a BYOD strategy based on Remote Desktop Services? Terminal services are a perfect measure to raise the trust level of the entire network, in particular when combined with your employees own devices.

But this is another story…

If you have any questions, please feel free to leave a comment. And enjoy the free time with your family.