Threat Advisory: Remote Desktop Services Vulnerability
May 15, 2019
This week, Microsoft released a critical update for their Remote Desktop Services (formerly Terminal Services) impacting multiple Windows versions. It is critical that organizations apply the patch as soon as possible because this vulnerability is “wormable”, meaning it is pre-authentication and requires no user interaction. An exploit for this weakness could be used to create malware that would spread similarly to WannaCry and other recent worms.
Microsoft has released patches for both in- and out-of-support operating systems (including Windows 2003). Patches being released for these legacy operating systems is a rare occurrence and speaks to the importance of the update.
Affected operating systems include:
- Windows Server 2003 and XP
- Windows 7, Windows 2008 R2, and Windows 2008
If it is not possible to apply the patches, other partial mitigations can be implemented, including:
- Enabling Network Level Authentication (NLA) for Windows 7 and Windows Server 2008 (and 2008 R2) systems (preventing the spread of malware leveraging this vulnerability)
- Blocking TCP port 3389 at the border (preventing unauthorized requests or access from the Internet)
- Disabling Remote Desktop Services (only if not required)
No malware has been observed that exploits this weakness to date, but we expect malware authors will quickly move to incorporate it.
Herjavec Group has comprehensive expertise in incident response, vulnerability scanning, and intrusion detection to help identify and remedy potential issues. If you are unsure whether you have exposed Remote Desktop Services or legacy systems in your environment, contact an HG Security Specialist for further support.
For HG Managed Services customers, our team will engage with the appropriate technical contacts in your respective organizations to provide alerts, escalations, actions and or reports based on our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.