How to efficiently protect yourself against the Microsoft Remote Desktop Services with Stormshield’s solutions?

Microsoft published a patch for the CVE-2019-0708 vulnerability in its latest monthly Patch Tuesday (May, 14th 2019). This vulnerability targets the Remote Desktop Services (RDS) and allows arbitrary code execution on a vulnerable system, and this without any authentication nor user interaction.

As of today the impacted operating systems are:

  • Windows 7
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003
  • Windows XP

Because this could lead to a very impactful attack, Microsoft handled it with a strong attention. In addition to providing patches for the supported operating systems, Microsoft® also released exceptional patches for unsupported systems, Windows XP ™ and Windows Server 2003 ™.

In parallel, Microsoft published on its blog an article alerting on the singularity of this vulnerability and warning against the high risk of a malware exploiting the CVE-2019-0708.

Stormshield Endpoint Security (SES) and Stormshield Network Security (SNS) can help to reduce the attack surfaces on your infrastructures that could be the target of malwares using this vulnerability.

SES – Handling the threat

It is a kernel vulnerability, available remotely as long as it can connect and send data on the targeted device’s TCP/3389 port. This vulnerability can allow a attacker to execute arbitrary code in privileged mode (kernel).

SES does not detect this type of exploitation.

Restrict acces to TCP/3389 port

To reduce the attack surface on your infrastructure, we recommend you restraint, from the SES firewall rules, the RDP access to/from the legitimate clients and servers.

Please note that this will not prevent an authorized client to exploit the vulnerability and execute code to make modification of the server, which it would not be allowed otherwise.


SNS – Handling the threat [Update 05/28/2019]

A signature is available to block known exploits of this vulnerability.

Also, to reduce the attack surface on your infrastructure, several actions can be taken to limit the access to the RDP resources. Please note that none will not prevent an authorized client to exploit the vulnerability and execute code to make modification of the server, which would not be allowed otherwise.

IPS signature

Stormshield Network Security offers an IPS signature to block known exploits of this vulnerability: “CVE-2019-0708 Remote Desktop Protocol exploit attempt”. It is defined by default with action “Block” in all protection models.

Make sure that the filter rules allowing RDP connections into your network have IPS protection enabled.

Limiting the TCP/3389 port access via user authentication

You can force users to authenticate themselves on the Firewall prior to accessing the RDP service available on your network.

For further information on user authentication, please refer to the SNS Administration guide.

Limiting access to the TCP/3389 port via the VPN SSL portal, VPN SSL tunnel or VPN IPsec Tunnel

You can also force your user to use a VPN tunnel or the VPN SSL portal to reach your RDP services on your network. This will not only allow you to authenticate the user, but also to cipher the communication between the client and the Firewall.

For further information on the VPN SSL portal configuration, please refer to the SNS Administration guide and this Stormshield KB article.

For more information on VPN SSL and IPsec tunnels, please refer VPN section of the SNS technical notes.


Other recommendations

Update your systems

Apply Microsoft® patch as soon as possible.

Investigation information

As of the time of writing, there are not IoC (Indicator of Compromise) that would tell you if you’ve been targeted by an attack using this vulnerability.

Share on

About the author

Julien Paffumi
Product Management Leader, Stormshield

Julien Paffumi made his first foray into Arkoon’s R&D as a quality engineer. He then directly trained administrators and acquired broad knowledge of their needs – an invaluable experience for his next role as Product Manager of Arkoon Fast360 firewalls, and then of the Stormshield Management Center centralised administration console. Eager to share what he has learned, Julien now works in continuous improvement for Product Management at Stormshield as a Product Management Leader. This cross-cutting role also feeds his never-ending curiosity thanks to its broader approach to Stormshield solutions.