Microsoft released an update for Windows 2003, XP and 7 to patch CVE-2019-0708 – a Remote Code Execution Vulnerability
Microsoft is about to end the support for Windows 7 in 2020, while XP and 2003 are not supported and patched with security updates for a while now. Despite that, Microsoft released a patch to ensure that malicious actors would not abuse a highly critical Remote Code Execution (RCE) vulnerability on these outdated, although still highly popular machines.
The tech giant released the update yesterday, claiming that the flaw would allow hackers to exploit Remote Desktop Services (previously known as Terminal Services) to send individual requests and perform arbitrary code execution. This would allow the attacker to abuse the flaw and escalate the malware as a worm, which would spread around the network quickly, without user interaction whatsoever.
Microsoft published the advisory which states that the attack might be able to perform a variety of tasks if successful:
This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Only older versions are affected by the flaw
The vulnerability, dubbed CVE-2019-0708, is related to a component of RDS which a built-in feature to older versions of Windows, such as Windows 7, Windows XP, Windows 2003, Windows Server 2008 or Windows Server 2008 R2.
The flaw, however, does not affect all the recent versions of Windows, such as Windows 8, Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 or Windows Server 2019.
According to Simon Pope, Director of Incident Response at Microsoft, there is a reason why newer versions are not affected by the critical vulnerability, and urges everybody to upgrade:
Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected. Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows.
Pope says the flaw can be partially mitigated if Network Level Authentication (NLA) is enabled on the unpatched systems, as NLA requests authentication. However, this does little if the attackers have the credential needed to bypass this security feature, and would allow the Remote Code Execution (RCE) exploitation even if the machine has Network Level Authentication enabled.
The exploitation of the flaw might bring an attack similar to WannaCry
According to Microsoft, systems that have automatic updates enabled should be patched without user interaction. Nevertheless, because the older systems are not supported for a while now, users might have the automatic update feature disabled altogether, which brings security experts concerns:
This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.
Due to the fact that this critical vulnerability can operate as a worm, can easily result in an outbreak of something like WannaCry ransomware attack back in 2007, when the malware triggered a stagnation of hundreds of high-profile corporations and governmental institutions worldwide, as well as resulted in millions of dollars in damages. The EternalBlue exploit was primarily used on Windows XP and other older Windows versions, similarly to the CVE-2019-0708 flaw.
Nevertheless, those who run older systems should make sure that automatic update is enabled; otherwise, the patch should be downloaded and applied manually.
According to Kevin Beaumont, a cyber security expert from BNFL, there are currently 3 million RDP endpoints susceptible to the exploitation of the flaw.