After Microsoft ended support for Windows 2003 and Windows XP, there weren’t supposed to be any more security updates for those systems. If a vulnerability was found, then it would have to remain unpatched.
Except it turns out some vulnerabilities are too dangerous to leave unfixed, especially since there are production environments with legacy machines running older versions of Windows. Microsoft decided the risks of leaving the [remote code execution flaw in Remote Desktop Services](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 (CVE-2019-0708) unpatched was too high and released security updates for Windows 2003 and Windows XP along with updates for still-supported Windows 7, Windows Server 2008 and 2008 R2.
Microsoft recommends patching this issue as soon as possible and issued guidance for unsupported vulnerable systems.
Newer versions of the operating system—Windows 10, Windows 8.1 and 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 and Server 2012 R2—are not affected. Remote Desktop Services, formerly known as Terminal Services, affects older versions of Windows and is not the same as Remote Desktop Protocol.
While there have been no evidence of attackers exploiting this vulnerability in the wild, Microsoft believe an exploit is “highly likely” because the vulnerability can be exploited without authentication and without user interaction. This is the kind of vulnerability that a worm would exploit to propagate on its own from one machine to another.
“The vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” wrote Simon Pope, Director of Incident Response at the Microsoft Security Response Center (MSRC).
Echoes of WannaCry
The initial attack would look something like this: an unauthenticated attacker connects to the target machine via RDP and sends specially crafted requests to gain control over the system. They would be able to install programs; view, edit, and delete data; and create new accounts with full user rights. Once this machine is infected, it would be possible to launch a worm capable of propagating from vulnerable machine to vulnerable machine as the vulnerability is pre-authentication and does not require user interaction.
The security update addresses how Remote Desktop Services handle connection requests.
For organizations that can’t patch right away, Microsoft said enabling Network Level Authentication (NLA) on vulnerable machines act as a partial mitigation. Having NLA enabled means the vulnerability can’t be triggered without authentication. This would stop a worm, since the worm wouldn’t be able to spread on its own. However, if the attacker has valid credentials, then the attacker can still exploit that vulnerability. Many organizations rely on weak passwords for RDP—strong credentials would prevent brute-forcing, but a determined attacker has plenty of ways to steal RDP credentials.
WannaCry was a ransomware cryptomining worm that scanned for vulnerable systems, used the EternalBlue exploit to gain access, and the DoublePulsar tool to install and execute a copy of itself on the new machine. Within a day WannaCry had infected more than 230,000 computers in over 150 countries and brought many organizations to a complete standstill, and disrupted operations at others. Experts believe the spread was primarily through unpatched Windows 7 systems.
With the new vulnerability, the risk is high for industrial facilities, as many of them still have legacy operating systems in their networks. Industrial cybersecurity company CyberX analyzed traffic from over 850 operational technology (OT) networks worldwide and found unsupported versions of Windows—many of which are likely to be affected by this flaw—running in 53 percent of industrial sites.
“The problem stems from the fact that patching computers in industrial control networks is challenging because they often operate 24x7 controlling large-scale physical processes like oil refining and electricity generation,” said Phil Neray, CyberX vice-president of industrial cybersecurity.