Update: May 28, 2019 @ 15:30 UTC - Comprehensive ZDI Analysis Blog added
On May 14, 2019, Microsoft released its monthly “Patch Tuesday” set of security updates for the various supported versions of the Microsoft Windows operating system.
One notable bug that was addressed is a Remote Code Execution (RCE) vulnerability in Windows’ Remote Desktop Services (CVE-2019-0708), that if exploited could allow an unauthenticated attacker to connect via RDP and execute arbitrary code on the remote server – without any user interaction. This makes it a "wormable" vulnerability, meaning an exploit could potentially spread very quickly.
It appears that the vulnerability has been found in older versions of the service, as Windows 8 and 10 are not said to be vulnerable; however Windows 7 and Windows 2008 R2 (still very widely used) are.
A comprehensive blog by the Zero Day Initiative (ZDI) has a very detailed analysis of the vulnerability: https://www.zerodayinitiative.com/blog/2019/5/27/cve-2019-0708-a-comprehensive-analysis-of-a-remote-desktop-services-vulnerability.
Please note: this is not a Trend Micro-specific vulnerability.
Mitigation and Protection
The first line of protection against any vulnerability is to ensure the affected systems are patched with Microsoft's latest security update. This continues to be the primary recommendation for protection against any exploit that may arise from this vulnerability. Due to the sheer volume of systems that utilize Remote Desktop Services and threat potential of a fast spreading exploit, it is imperative that organizations and individual apply the patches from Microsoft as soon as possible.
Microsoft has also issued out-of-band patches and guidance for some versions of Windows that have already reached EOL (such as Windows XP and Server 2003) because of the seriousness of this issue. More information can be found at: https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708 for these.
Microsoft also mentions a partial mitigation on affected systems may be to have Network Level Authentication (NLA) enabled for the non-authenticated user part of an attack. However, affected systems would still be vulnerable if an attacker has valid credentials that can be used to successfully authenticate.
Please visit Microsoft's MSRC Blog for more information at https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/.
Trend Micro Detection and Protection
Trend Micro has developed some rules/filters based on our our own analysis of a potential exploit for additional protection. Please note however, in the absence of a true in-the-wild exploit, the effectiveness of a rule or filter of this nature may vary and should not be considered the sole source of protection. Customers are highly encouraged to apply the Microsoft patches where possible, and/or apply the other recommended mitigation strategies recommended such as enabling NLA and disabling non-critical RDP services and connections. More general RDP strategies can also be found in Trend Micro's InfoSec Guide: Remote Desktop Protocol at https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/infosec-guide-remote-desktop-protocol-rdp.
Trend Micro will continue to to monitor for signs of active exploitation and will continue to to provide additional updates and rules if/when necessary.
Deep Security, Vulnerability Protection and Apex One Vulnerability Protection (iVP)
· Rule 1009749 - Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (CVE-2019-0708)
TippingPoint
· Filter 35285: RDP: Windows Remote Desktop Services Remote Code Execution Vulnerability
In addition, Trend Micro does provide the following generic detection and protection for Deep Security, Vulnerability Protection, Apex One Vulnerability Protection (iVP) and TippingPoint targeted towards general RDP-based threats.
Deep Security and Vulnerability Protection
RDP Traffic:
· Rule 1002508 – RDP (monitor RDP traffic)
Brute Force Detection:
· Rule 1009448 - Microsoft Windows Remote Desktop Protocol (RDP) Brute Force Attempt
Terminal Services Detection:
· Rule 1009549 - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1015,T1043,T1076)
· Rule 1001164 - Detected Terminal Services (RDP) Server Traffic
In additional the following rules are available in Deep Security (only)
Brute Force Detection:
· Rule 1003716 - Identified Too Many Remote Desktop Protocol (RDP) Connection Request
Log Inspection:
· Rule 1002795 - Microsoft Windows Events - "Multiple Windows Logon Failures"
· Rule 1002795 - Microsoft Windows Events - "Windows Logon Failure”
· Rule 1004057 - Microsoft Windows Security Events - 1 "Logon attempted using explicit credentials"
Apex One Vulnerability Protection (iVP)
· Rule 1009448 - Microsoft Windows Remote Desktop Protocol (RDP) Brute Force Attempt
TippingPoint
· Filter 5683 RDP: Windows Remote Desktop Access on Non-Standard Ports
· Filter 5873 RDP: Windows Remote Desktop Access
· Filter 6197 RDP: Windows Remote Desktop Access on Non-Standard Ports (HTTP)
· Filter 10957 RDP: Windows Remote Desktop Brute Force Attempt by NCrack
· Filter 12134 RDP: Remote Desktop Denial of Service Attack
· Filter 22166 RDP: Windows Remote Desktop Access Over UDP
· Filter 22167 RDP: Windows Remote Desktop Access Over UDP on Non-Standard Ports
Trend Micro will continue to closely monitor this issue and will provide updates on specific vulnerability detection guidance or any known threat or exploit information that may arise.
References
· Microsoft Security Bulletin: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
· Microsoft Customer Guidance for EOL Products: https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708
· Microsoft MSRC Blog: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
· Trend Micro InfoSec Guide: Remote Desktop Protocol (RDP) - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/infosec-guide-remote-desktop-protocol-rdp
· MITRE CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0708
