How to efficiently protect yourself against the Microsoft Remote Desktop Services with Stormshield’s solutions?

Microsoft published a patch for the CVE-2019-0708 vulnerability in its latest monthly Patch Tuesday (May, 14th 2019). This vulnerability targets the Remote Desktop Services (RDS) and allows arbitrary code execution on a vulnerable system, and this without any authentication nor user interaction.

As of today the impacted operating systems are:

  • Windows 7
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003
  • Windows XP

Because this could lead to a very impactful attack, Microsoft handled it with a strong attention. In addition to providing patches for the supported operating systems, Microsoft® also released exceptional patches for unsupported systems, Windows XP ™ and Windows Server 2003 ™.

In parallel, Microsoft published on its blog an article alerting on the singularity of this vulnerability and warning against the high risk of a malware exploiting the CVE-2019-0708.

Stormshield Endpoint Security (SES) and Stormshield Network Security (SNS) can help to reduce the attack surfaces on your infrastructures that could be the target of malwares using this vulnerability.

SES – Handling the threat

It is a kernel vulnerability, available remotely as long as it can connect and send data on the targeted device’s TCP/3389 port. This vulnerability can allow a attacker to execute arbitrary code in privileged mode (kernel).

SES does not detect this type of exploitation.

Restrict acces to TCP/3389 port

To reduce the attack surface on your infrastructure, we recommend you restraint, from the SES firewall rules, the RDP access to/from the legitimate clients and servers.

Please note that this will not prevent an authorized client to exploit the vulnerability and execute code to make modification of the server, which it would not be allowed otherwise.

 


SNS – Handling the threat

As of the time of redaction, no exploits are known that could be blocked by the IPS signatures or any other Stormshield Network Security feature.

To reduce the attack surface on your infrastructure, several actions can be taken to limit the access to the RDP resources.

Please note that none will not prevent an authorized client to exploit the vulnerability and execute code to make modification of the server, which it would not be allowed otherwise.

Limiting the TCP/3389 port access via user authentication

You can force users to authenticate themselves on the Firewall prior to accessing the RDP service available on your network.

For further information on user authentication, please refer to the SNS Administration guide.

Limiting access to the TCP/3389 port via the VPN SSL portal, VPN SSL tunnel or VPN IPsec Tunnel

You can also force your user to use a VPN tunnel or the VPN SSL portal to reach your RDP services on your network. This will not only allow you to authenticate the user, but also to cipher the communication between the client and the Firewall.

For further information on the VPN SSL portal configuration, please refer to the SNS Administration guide and this Stormshield KB article.

For more information on VPN SSL and IPsec tunnels, please refer VPN section of the SNS technical notes.

 


Other recommendations

Update your systems

Apply Microsoft® patch as soon as possible.

Investigation information

As of the time of writing, there are not IoC (Indicator of Compromise) that would tell you if you’ve been targeted by an attack using this vulnerability.

Share on

About the author

mm
Julien Paffumi
Product Management Leader, Stormshield

Julien Paffumi made his debut with Arkoon Network Security R&D, finding every conceivable way to put firewalls in default to prevent the same scenario from happening to customers. He then moved on to directly training administrators, acquiring extensive knowledge of their needs in the process. This was valuable experience for his next role as Product Manager of Arkoon Fast360 firewalls, and then of the Stormshield Management Center. Enternally curious and eager to share his findings, Julien also works to continuously improve Stormshield Product Management approaches as Product Management Leader.