A critical vulnerability (named BlueKeep) has been found (May 2019) in Microsoft Remote Desktop on Windows 7 or earlier that allows an attacker to execute arbitrary code on the remote computer. “Execute arbitrary code” means the attacker can run any program, or manipulate (delete, modify, download, etc) any file. In other words the attacker will be able to take complete control of the computer and do anything that a person sitting at the computer would be able to do. This can be done remotely, and requires no user name or password or any interaction from the user of the remote computer.
Experts expect widespread malicious exploitation of this vulnerability in the next couple of weeks (May-June 2019).
If you are using Microsoft Remote Desktop Services to enable remote access to any systems it is important to take action:
- Install Windows security updates. See https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708 for Windows versions that no longer receive regular automatic updates (prior to Windows 2007).
- If for some reason you can’t update the systems, but must use Remote Desktop, limit access to them. This means:
- Disallow access from the Internet (block port 3389 on your perimeter router). If you must allow remote access to the system, this can be accomplished by using a VPN to allow remote access and then connecting Remote Desktop across the VPN. This is something you should do anyway.
- Make sure the system is on a protected internal network segment so internal attackers can’t access the system. Internal attackers can be people or other infected machines inside your network.
This is especially important for users of older Windows versions (XP, 2000, Vista) because these versions won’t get updated automatically.
References
- Article from Bleeping Computer: Microsoft Warns Users Again to Patch Wormable BlueKeep Flaw
- Advisory from Microsoft: CVE-2019-0708 Remote Desktop Services Remote Code Execution Vulnerability
- Microsoft’s Guidance for users of older Windows versions: Customer Guidance for CVE-2019-0708 Remote Desktop Services Remote Code Execution Vulnerability
- Security Now Podcast Episode 716: RDP – Really Do Patch