Tag Archives: Windows 2003 Server

Critical Wormable Vulnerability CVE-2019-0708 patched. Is the world a safer place now?

19 May 2019

Microsoft released (1) a patch for the critical Remote Code Execution vulnerability CVE-2019-0708 (2) in Remote Desktop Services on May 14th, 2019. The vulnerability is wormable. A malware that exploits the vulnerability can spread from vulnerable computer to vulnerable computer in a way WannaCry did in 2017. Fortunately, only Windows XP, Windows 2003 Server, Windows 7 and Windows 2008 Server are impacted.

How big is the problem?

A Shodan search shows that about 30% of the Windows 2008 server systems directly connected to the internet are impacted. The Windows 2003 problem is much larger although Microsoft stopped the extended support for this version in July 2015.

Table 1: CVE-2019-0708 Impacted Systems. Source: Shodan. Data generated: 5/19/2019 7:30 pm

How to mitigate?

Since CVE-2019-0708 is a remote code execution vulnerability patches or other mitigating measures should be applied directly.

Microsoft provided patches with the May 2019 patch set, even for Windows 2003 Server and Windows XP, to prevent similar effects to that of WannaCry on the global economy. As an immediate step, Microsoft recommends deactivating RDP access to the impacted systems.

Is the world a safer place now?

Far from it. A brief analysis shows that many of the impacted systems provide applications based on a WAMP technology stack (Windows, Apache, MySQL, PHP). And in many cases remote code execution vulnerabilities in Apache or PHP are not patched. With this, the overall security level remains as bad as before Microsoft released the patches.

Without vulnerability and application life cycle management such problems cannot be solved. Apache, MySQL and PHP can be operated on top of an outdated Windows OS, but critical vulnerabilities in these components must be patched directly to avoid a large financial impact in the worst case.

The Equifax data breach from 2017 is just one example. In this case an unpatched remote code execution vulnerability in the Apache Struts framework opened the door for the attackers. Equifax (3) estimates that it has spent $1.4 billion so far to recover from the breach.

Have a great week.

References

  1. MSRC Team. Prevent a worm by updating Remote Desktop Services (CVE-2019-0708) – MSRC [Internet]. 2019 [cited 2019 May 19]. Available from: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
  2. NIST NVD. NVD – CVE-2019-0708 [Internet]. 2019 [cited 2019 May 19]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2019-0708
  3. Olenick D. Equifax data breach recovery costs pass $1 billion [Internet]. SC Media. 2019 [cited 2019 May 19]. Available from: https://www.scmagazine.com/home/security-news/data-breach/equifax-data-breach-recovery-costs-pass-1-billion/

Windows 2008 R2 Server is a bad choice as successor for Windows 2003 Server

26 March 2015

Windows 8.1 / Server 2012 R2 represent a quantum leap for users and companies in terms of security. Important new security features like

  • Restricted Admin mode for remote desktop connections,
  • LSA Protection,
  • Protected users group and
  • the removal of clear text credentials from the lsass process

make an attacker’s life harder. Compared to Windows 8.1 / Server 2012 R2 the last Windows versions are inherently insecure.

Therefore it’s truely confusing when IT groups give users the advice to migrate from Windows 2003 Server to Windows 2008 Server for operational reasons. In the past weeks I often heard terrifying statements like ‘If you prefer to be the guinea pig, go for version 2012’. From a security point of view this is a catastrophe.

With update KB2871997 Microsoft backported some of the new security features to Windows 7/8/Server 2008 R2. For a very good overview please see Sean Metcalf’s report published on Active Directory Security.

Unfortunately the most important features, Restricted Admin Server mode and LSA protection, were not backported. Protection for Windows 7 is better with the update, but Windows 2008 Server is still relatively simple to attack.

With that, the recommendation is to migrate to Windows 2012 R2 Server, provided that the application vendor gives support for this version.

I strongly recommend to enforce Restricted Admin Server mode to protect the administrator credentials.

Have a good day.