Critical EternalBlue RCE vulnerability detected in Windows
We learned about the critical RCE vulnerability in Remote Desktop Services RDS (on earlier OSs - Terminal Services TS) on Windows OS (CVE-2019-0708), which, if successfully exploited, allows an unauthenticated attacker to perform remote execution of an arbitrary code on the attacked system.
According to the information provided by Microsoft for the successful operation it is only necessary to have network access to the host or server with a vulnerable version of the Windows operating system. Thus, if the system service is published on the perimeter, the vulnerability can be proekspluatirovat directly from the Internet, without an additional shipping method. Recommendations on protection measures under the cut.
At the moment, the vulnerability is relevant for several dozens of organizations in Russia and more than 2 million organizations in the world, and the potential damage from the delay in prompt response and taking protective measures will be comparable to the damage caused by the vulnerability in the SMB protocol CVE-2017-0144 (EternalBlue).
')
To exploit this vulnerability, an attacker simply needs to send a specially crafted request to the remote desktop service of the target systems using RDP (the RDP protocol itself is not vulnerable ).
It is important to note that any malware that uses this vulnerability can spread from one vulnerable computer to another in a manner similar to the WannaCry cipher that spread throughout the world in 2017.
The affected versions of Windows OS are:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation
Windows XP SP3 x86
Windows XP Professional x64 Edition SP2
Windows XP Embedded SP3 x86
Windows Server 2003 SP2 x86
Windows Server 2003 x64 Edition SP2
We recommend promptly:
Possible additional compensating measures:
According to the information provided by Microsoft for the successful operation it is only necessary to have network access to the host or server with a vulnerable version of the Windows operating system. Thus, if the system service is published on the perimeter, the vulnerability can be proekspluatirovat directly from the Internet, without an additional shipping method. Recommendations on protection measures under the cut.
At the moment, the vulnerability is relevant for several dozens of organizations in Russia and more than 2 million organizations in the world, and the potential damage from the delay in prompt response and taking protective measures will be comparable to the damage caused by the vulnerability in the SMB protocol CVE-2017-0144 (EternalBlue).
')
To exploit this vulnerability, an attacker simply needs to send a specially crafted request to the remote desktop service of the target systems using RDP (the RDP protocol itself is not vulnerable ).
It is important to note that any malware that uses this vulnerability can spread from one vulnerable computer to another in a manner similar to the WannaCry cipher that spread throughout the world in 2017.
The affected versions of Windows OS are:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation
Windows XP SP3 x86
Windows XP Professional x64 Edition SP2
Windows XP Embedded SP3 x86
Windows Server 2003 SP2 x86
Windows Server 2003 x64 Edition SP2
We recommend promptly:
- In the case of a previously published RDP service on the outer perimeter of the vulnerable operating systems - to close the access to security fixes.
- Install the necessary Windows OS upgrades, starting with units on the perimeter and on for the entire infrastructure: patch for Windows 7, Windows 2008 , Windows XP, Windows 2003 .
Possible additional compensating measures:
- Enable Network Level Authentication (NLA). However, vulnerable systems will still be vulnerable to the use of remote code execution (RCE) if an attacker has valid credentials that can be used for successful authentication.
- Turning off the RDP protocol until the update and the use of alternative methods of access to resources.
Source: https://habr.com/ru/post/451864/
All Articles