[aklug] wormable remote vuln in RDP

Royce Williams royce at tycho.org
Wed May 15 06:47:13 AKDT 2019

[cross-posting to AKLUG and NUGA]

Along with the rest of the flood of vuln reports yesterday, Microsoft's
Patch Tuesday included patches for a remote RDP bug:


It's very wormable - and also likely to be great fodder for ransomware.
It's bad enough that for the second time ever, they're supplying patches
for unsupported OSes:


If you can't patch, and your RDP is public on purpose, one mitigation is to
enable Network Level Authentication, which requires auth before you can
attempt to log in:


Another mitigation is to block 3389 at your border. If you are a provider,
this can be tricky because many people are using direct RDP from the public
Internet as a maintenance or workflow path.

Public RDP is not a recommended practice. If you are using direct public
RDP, put it behind a VPN.

I've scanned my known Alaskan IP space:


... for RDP, not for the vuln. (At this writing, there is no scanner or
POC.). At this writing, about 830 Alaskan systems have public RDP enabled.
I am working with providers to give them the list for potential action, but
any such action beyond their own gear is likely to be a courtesy only (so I
would take action now and not wait for it).

I'm sure that many people are trying to reverse-engineer the patches as we
speak, so I recommend surveying your attack surface quickly.

(Disclaimer: this is just me personally investigating and raising the
issue, not $DAYJOB-related, and is just a nudge for folks to consult their
respective geeks and take action)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.aklug.org/pipermail/aklug/attachments/20190515/c9d98d64/attachment.html>

More information about the aklug mailing list