CVE-2019-0708 is a remote code execution vulnerability in the RDP service. A successful attack would allow the attacker to execute code in the environment of the Remote Desktop Service (A.K.A Terminal services).
Note: A payload (if run) will be at a high privilege level. This means that a user already logged on to the machine could attempt to exploit the RDP attack to access localhost:3389 and get priv. escalation. Thus, both local and remote hosts need to be controlled.
( From the NIST advisory )
"A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'".
Basic defense – Best practices
The Remote Desktop service uses TCP port 3389.
Depending on the OS, the listener on 3389 can be the kernel or a service. To control the RDP listener, network rules need to be added to both the kernel_ps inbound network rules and the application sandbox inbound network rules. Rules to allow TCP connections to port 3389 from authorized hosts should be followed by a deny rule that blocks all hosts from accessing this service. These rules need to precede and rules that allow “Any” access.
Exploit Analysis and Concept Testing
At this time, a Proof of Concept has not been found that actually runs a payload. This means the sandbox where the payload will execute is unknown. There are scanners that try to determine if a machine has a vulnerable version of RDP.
Tuning CWP Windows OS Policy for minimizing the attack surface
With a configured network perimeter and the RDP port available to authorized hosts only, the attack surface is minimized.
As a best practice, tune your CWP OS policy applied to Windows Servers with a network inbound rule to allow inbound RDP port connections to only authorized endpoint IP addresses and network IP address ranges.
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe