A critical Windows vulnerability has been identified which could be exploited in a WannaCry-style malware attack. The vulnerability is pre-authentication and requires no user interaction to exploit, as such it is wormable. A patch was issued by Microsoft on May 14, 2019 to correct the flaw. The patch should be applied immediately to prevent the flaw from being exploited.
A remote attacker could exploit the flaw to deliver malware to a vulnerable device and, by incorporating the exploit into the malware, move laterally and infect all vulnerable devices on the network.
The vulnerability, tracked as CVE-2019-0708, is in Remote Desktop Services (previously called Terminal Services) and requires a relatively low level of skill to exploit. To exploit the flaw, an attacker would need to send a specially crafted request to the Remote Desktop Service on a targeted device via RDP. Once exploited, an attacker could download malware and install other programs, view, change, or delete data, create new user accounts with admin privileges, and take full control of a vulnerable device. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10.
Microsoft has incorporated security protections into the latest Windows versions, so Windows 8 and Windows 10 users are unaffected. However, earlier versions of Windows contain the vulnerability.
Patches have been released for all vulnerable Windows versions, including Windows XP and Windows 2003, both of which have reached end of life and are no longer supported, as was the case with the Windows Server Message Block (SMB) vulnerability that was exploited by WannaCry.
Affected Windows versions are:
- Windows Server 2008 R2
- Windows Server 2008
- Windows 7
- Windows XP
- Windows 2003
Businesses running machines with the above operating systems should test the patch and apply it as soon as possible. In the meantime, a workaround should be implemented to prevent the flaw from being exploited.
The workaround requires TCP port 3389 to be blocked on the firewall and for Network Level Authentication (NLA) to be enabled on all systems running vulnerable Windows versions. If NLA is enabled, before the flaw can be exploited, an attacker would first need to authenticate to remote Desktop Services using a valid account. While the workaround will reduce the risk of exploitation of the vulnerability, it is not a replacement for the patch, which should still be applied as soon as possible. Businesses should also disable Remote Desktop Services if they are not essential and RDP should not be exposed to the internet.
Microsoft has warned that the failure to mitigate the vulnerability, either by applying the patch or using the workaround, could result in another global attack on the scale of WannaCry. Such an attack is extremely likely. When patches are released to address critical flaws, it doesn’t take long for them to be reverse engineered and for exploits to be crafted. Such a high severity flaw is likely to be exploited quickly. It may only take a few days before the first attacks are conducted.