[aklug] wormable remote vuln in RDP

[Royce Williams]

[cross-posting to AKLUG and NUGA]

Along with the rest of the flood of vuln reports yesterday, Microsoft's
Patch Tuesday included patches for a remote RDP bug:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

It's very wormable - and also likely to be great fodder for ransomware.
It's bad enough that for the second time ever, they're supplying patches
for unsupported OSes:

https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/

If you can't patch, and your RDP is public on purpose, one mitigation is to
enable Network Level Authentication, which requires auth before you can
attempt to log in:

https://en.wikipedia.org/wiki/Network_Level_Authentication

Another mitigation is to block 3389 at your border. If you are a provider,
this can be tricky because many people are using direct RDP from the public
Internet as a maintenance or workflow path.

Public RDP is not a recommended practice. If you are using direct public
RDP, put it behind a VPN.

I've scanned my known Alaskan IP space:

https://www.techsolvency.com/alaskan-networks/

... for RDP, not for the vuln. (At this writing, there is no scanner or
POC.). At this writing, about 830 Alaskan systems have public RDP enabled.
I am working with providers to give them the list for potential action, but
any such action beyond their own gear is likely to be a courtesy only (so I
would take action now and not wait for it).

I'm sure that many people are trying to reverse-engineer the patches as we
speak, so I recommend surveying your attack surface quickly.

(Disclaimer: this is just me personally investigating and raising the
issue, not $DAYJOB-related, and is just a nudge for folks to consult their
respective geeks and take action)

Royce
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.aklug.org/pipermail/aklug/attachments/20190515/c9d98d64/attachment.html>