How to efficiently protect yourself against the Microsoft Remote Desktop Services with Stormshield’s solutions?
17 05 2019
Microsoft published a patch for the CVE-2019-0708 vulnerability in its latest monthly Patch Tuesday (May, 14th 2019). This vulnerability targets the Remote Desktop Services (RDS) and allows arbitrary code execution on a vulnerable system, and this without any authentication nor user interaction.
As of today the impacted operating systems are:
- Windows 7
- Windows Server 2008 R2
- Windows Server 2008
- Windows Server 2003
- Windows XP
Because this could lead to a very impactful attack, Microsoft handled it with a strong attention. In addition to providing patches for the supported operating systems, Microsoft® also released exceptional patches for unsupported systems, Windows XP ™ and Windows Server 2003 ™.
In parallel, Microsoft published on its blog an article alerting on the singularity of this vulnerability and warning against the high risk of a malware exploiting the CVE-2019-0708.
Stormshield Endpoint Security (SES) and Stormshield Network Security (SNS) can help to reduce the attack surfaces on your infrastructures that could be the target of malwares using this vulnerability.
SES – Handling the threat
It is a kernel vulnerability, available remotely as long as it can connect and send data on the targeted device’s TCP/3389 port. This vulnerability can allow a attacker to execute arbitrary code in privileged mode (kernel).
SES does not detect this type of exploitation.
Restrict acces to TCP/3389 port
To reduce the attack surface on your infrastructure, we recommend you restraint, from the SES firewall rules, the RDP access to/from the legitimate clients and servers.
Please note that this will not prevent an authorized client to exploit the vulnerability and execute code to make modification of the server, which it would not be allowed otherwise.
SNS – Handling the threat [Update 05/28/2019]
A signature is available to block known exploits of this vulnerability.
Also, to reduce the attack surface on your infrastructure, several actions can be taken to limit the access to the RDP resources. Please note that none will not prevent an authorized client to exploit the vulnerability and execute code to make modification of the server, which would not be allowed otherwise.
Stormshield Network Security offers an IPS signature to block known exploits of this vulnerability: “CVE-2019-0708 Remote Desktop Protocol exploit attempt”. It is defined by default with action “Block” in all protection models.
Make sure that the filter rules allowing RDP connections into your network have IPS protection enabled.
Limiting the TCP/3389 port access via user authentication
You can force users to authenticate themselves on the Firewall prior to accessing the RDP service available on your network.
For further information on user authentication, please refer to the SNS Administration guide.
Limiting access to the TCP/3389 port via the VPN SSL portal, VPN SSL tunnel or VPN IPsec Tunnel
You can also force your user to use a VPN tunnel or the VPN SSL portal to reach your RDP services on your network. This will not only allow you to authenticate the user, but also to cipher the communication between the client and the Firewall.
For more information on VPN SSL and IPsec tunnels, please refer VPN section of the SNS technical notes.
Update your systems
Apply Microsoft® patch as soon as possible.
As of the time of writing, there are not IoC (Indicator of Compromise) that would tell you if you’ve been targeted by an attack using this vulnerability.