While security professionals try to take note of every vulnerability, the chore of parsing every CVE is daunting. But sometimes the vulnerabilities are severe enough that the industry takes notice. When Microsoft makes the rare move to backport fixes to unsupported operating systems, it becomes obvious that special attention is needed.
CVE-2019-0708 represents one such vulnerability. It is a vulnerability in the Remote Desktop/Terminal Services (RDP) component of Microsoft Windows. Successful exploitation of CVE-2019-0708 could yield arbitrary code execution in the Windows kernel, giving the attacker full control of the system.
This vulnerability scenario is eerily similar to CVE-2017-0144, which was the SMB vulnerability exploited by NSA in EternalBlue. EternalBlue was leaked by the Shadow Brokers hacker group and ultimately used by Wannacry and NonPetya. In May 2017, Wannacry hit unpatched systems with the CVE-2017-0144 vunerability. Within a day of release, over 230,000 computers in 150 countries were impacted by the ransomware. Among the most severe agencies impacted by this attack was the National Health Service in the UK, where hospitals in England and Scotland saw up to 70,000 devices including MRI scanners and blood-storage refrigerators possibly affected by the attack.
While there haven’t been instances of malware yet detected in the wild that use CVE-2019-0708, there are instances of proof-of-concept tools that manage to at least partway exploit the vulnerability to cause errors. Perhaps of more immediate consequence, attackers are using the opportunity of people looking to test CVE-2019-0708 through bogus proof-of-concept tools that simply install malware on the researcher’s machine. It is especially interesting as a security professional to see malware authors exploiting toolkits to infect hackers and researchers.
CVE-2019-0708 is a remote code execution vulnerability in the Remote Desktop/Terminal Services (RDP) component of Microsoft Windows. Successful exploitation of the vulnerability could yield arbitrary code execution in the Windows kernel giving the attacker full control similar to the MS17-010 SMB vulnerability.
The MSRC advisory states that this exploit has not been publicly disclosed nor has it been seen to be exploited in the wild. However, an MSRC blog post raises the speculation of this vulnerability could be used by a worm similar to the WannaCry malware. The blog fails to mention that WannaCry also used WMI and PsExec to spread internally within a network whereas the SMB vulnerability was used for initial access.
The vulnerability is significant as indicated by Microsoft backporting the patch to out-of-support versions of Windows, most notably Windows XP. Microsoft has raised the alarm of a “wormable” RDP previously which turned out to be a non-issue, MS-12-020 resulted in a denial-of-service condition and did not result in remote code execution.
This component is implemented by a driver named termdd.sys. A binary diff of the patch reveals an arbitrary write primitive  in kernel mode (ring-0) allowing an attacker to specify a memory location to be written to with limited control of what value can be written to that specified address. The attacker can control a 64-bit integer, `vVulnparam`, which is used in an address calculation. The attacker has limited control over the `vChannel` by opening a corresponding number of channels to the RDP service.
Windows XP, Windows 7, Server 2003, Server 2008, Server 2008 R2
Proof of Concepts (PoCs):
At the time of publication, there appears to be publicly available proof-of-concepts (PoCs) that can negotiate with the RDP service to exercise the vulnerable code path but are unable to gain arbitrary code execution, at worst they can corrupt kernel memory which results in a “bug check”, colloquially known as the Blue Screen of Death (BSoD). A variety of security researchers from reputable firms have published screenshots and video of PoCs that demonstrate the bug check condition.
Caution: There are a number of fake PoCs circulating which are copied from the MS12-020 vulnerability that will drop malware and others less malicious that, display Rick Astley’s “Never Gonna Give You Up”, or other mischievous pranks.
- Patch all vulnerable systems immediately – Patch available for supported and unsupported (Windows XP, Server 2003)
- Disable Remote Desktop Services (at least until the vulnerability is patched)
- Block TCP/3389 (and UDP/3389) at border firewalls to prevent externally launched exploits
- Enable Network Level Authentication (NLA) to require authenticated connections to the RDP service. The system will still be vulnerable though an attacker must have valid login credentials.