Critical RDP Flaw Leaves up to 2.3 Million Servers Exposed (CVE-2019–0708)

Yesterday Microsoft published a security advisory bulletin for a critical vulnerability in its remote login service ‘Remote Desktop Services’, commonly known as RDP. The flaw allows a completely unauthenticated attacker to gain full access to the system, so in vulnerability terms, it’s about as bad as it gets.

RDP is popular among sysadmins as a way of remotely logging into Windows machines for admin purposes, and can often be used to gain access to corporate resources for remote workers.

‍

Because of this, RDP is very commonly exposed to the internet, and over 2.3 million servers expose this service worldwide. Windows servers running certain versions of Windows 7, and Windows 2008 are vulnerable, and these operating systems are still widely in use, and are supported by Microsoft. Out-of-support operating systems Windows XP and Windows 2003 are also affected.

At the time of writing, there is no publicly available exploit code, so we’re unlikely to be seeing mass exploitation just yet. However, Microsoft did patch this issue after seeing some exploitation in the wild, so we know at least targeted attacks are already taking place, and it is likely to be only a matter of time before the patch is reversed to uncover the details, and exploit code becomes more widely available.

The infamous ‘WannaCry’ attack back in 2017 used a similar bug in a Microsoft’s ‘SMB’ service, and led to the compromise of over 200,000 systems worldwide, impacting over 150 countries and costing approximately $4 billion in financial losses.

Due to its similarities, this vulnerability is highly likely to be leveraged in the same way. It will probably only be a matter of time until news of the next worldwide attack breaks, again locking tens of thousands of corporate machines with ransomware.

Since 2015, Intruder has been recommending to its clients that both SMB and RDP services should not be exposed to the Internet, and should instead be placed behind a VPN for defence-in-depth purposes. While this may not be the time to say “I told you so”, it is an important reminder that vulnerabilities can be discovered in internet-facing services at any time, and rather than playing whack-a-mole by patching each vulnerability as it occurs, keeping your attack surface to a minimum is a much more prudent approach for the long-term.

For those who don’t already know, Intruder’s continuous vulnerability monitoring service lets you know which ports and services you have exposed to the Internet, detects vulnerabilities, and makes recommendations to reduce your organisation’s attack surface. So if you haven’t tried it already… then maybe today is a good day to start!

‍