Microsoft plugs wormable RDP flaw, new speculative execution side channel vulnerabilities

For May 2019 Patch Tuesday, Microsoft has released fixes for 79 vulnerabilities, 22 of which are deemed critical. Among the fixes is that for CVE-2019-0708, a “wormable” RDP flaw that is expected to be weaponised by attackers very soon.

May 2019 Patch Tuesday

About CVE-2019-0708

It’s a remote code execution vulnerability in Remote Desktop Services (formerly known as Terminal Services) that allows unauthenticated attackers to connect to the target system using RDP and send specially crafted requests.

The flaw affects Windows 7, Windows Server 2008 R2, and Windows Server 2008 (still in-support) and Windows 2003 and Windows XP (out-of-support). Due to the danger it presents, Microsoft has released security updates for all of them (those for out-of-support Windows versions can be found here).

Customers running Windows 8 and Windows 10 are not affected by this vulnerability.

“The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” Microsoft explained the danger.

“While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

For those who cannot apply the security updates, Microsoft advises either disabling RDP services if they are not required, blocking TCP port 3389 at the enterprise perimeter firewall, and/or enabling Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2.

The latter is only a partial mitigation. With NLA enabled, systems are protected against “wormable” malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered.

“However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate,” Microsoft noted. “It is for these reasons that we strongly advise that all affected systems – irrespective of whether NLA is enabled or not – should be updated as soon as possible.”

There are no public exploits for it yet and no indication that it’s already being actively exploited.

The remaining fixes

As per usual, the addressed vulnerabilities span a variety of Microsoft products, including Windows, the two company browsers, Microsoft Office, Visual Studio, the .NET Framework, and so on.

Among the most notable are:

  • CVE-2019-0863, a Windows Error Reporting elevation of privilege vulnerability that is already being exploited in the wild (likely in limited attacks)
  • CVE-2019-0725, a Windows DHCP Server RCE vulnerability that can be exploited by a remote unauthenticated attacker by sending a specially crafted packet to an affected DHCP server (meaning: it’s also “wormable”).
  • CVE-2019-0932, a vulnerability in Skype for Android that could allow attackers to listen in on a user’s Skype conversations. The vulnerability was publicly known before this disclosure, but there is no indication that it’s being exploited in the wild.

Microsoft has also released a guidance document on how to mitigate a new subclass of speculative execution side channel vulnerabilities known as Microarchitectural Data Sampling (aka ZombieLoad, RIDL and Fallout).

“An attacker who successfully exploited these vulnerabilities may be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities,” the company explained.

“Microsoft has released software updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services.”