Update older Windows versions for vulnerability ASAP
The information below was sent to U-M staff groups via email on May 14, 2019. It is intended for U-M IT staff who are responsible for university servers running versions of Windows that have the Remote Desktop Services component built in.
Summary
Microsoft has just announced a vulnerability that affects pre-2012 Windows versions. A pre-authentication, remote code execution vulnerability that requires no user interaction resides in the Remote Desktop Services (previously known as Terminal Services) component of some versions of Windows Server and Windows. It is important to patch affected systems and computers ASAP, because the vulnerability is “wormable” (capable of being turned into a computer worm) and could spread quickly among vulnerable computers. Given the severity of the threat, Microsoft has taken the unusual step of providing updates to older, unsupported versions of Windows.
Problem
This is a pre-authentication vulnerability that would allow a remote attacker to execute arbitrary commands on a vulnerable system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Threats
The Microsoft Security Response Center has not observed active exploitation of this vulnerability in the wild, although it is expected that exploits will soon be written into malware.
Affected Versions
Versions of Windows and Windows Server prior to Windows Server 2012:
- Windows 7
- Windows XP
- Windows Server 2008 R2
- Windows Server 2008
- Windows Server 2003
Action Items
- Disable Windows Remote Desktop (previously known as Terminal Services) if it is not needed.
- Avoid exposing Windows Remote Desktop/Terminal Services to the internet. Require use of a VPN for access from off-campus).
- Update vulnerable systems as soon as possible. Security updates are available:
Technical Details
According to Microsoft: "A remote code execution vulnerability exists in Remote Desktop Services—formerly known as Terminal Services—when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests."
How We Protect U-M
- Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
- IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- IA provides vulnerability management guidance to the university.
- ITS MiServer staff reported that MiServer partially mitigates against this vulnerability through a mandatory security policy enabling Network Level Authentication (NLA). MiServer will apply the Microsoft security update the week of May 20.
Information for Users
- If you have a personal computer running Windows 7 or XP, apply the updates listed above as soon as you can. Better yet, upgrade to the latest version of Windows if at all possible.
- Always use a VPN to connect to U-M Terminal Services (Windows Remote Desktop) from off-campus networks.
References
- CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability (Microsoft, 5/14/19)
- Microsoft Patches ‘Wormable’ Flaw in Windows XP, 7 and Windows 2003 (Krebs on Security, 5/14/19)
- Prevent a worm by updating Remote Desktop Services (CVE-2019-0708) (Microsoft Technet, 5/14/19)
- The May 2019 Security Update Review (Zero Day Initiative, 5/14/19)