[aklug] wormable remote vuln in RDP

bryan@gnomon.xyz bryanm at gci.net
Thu May 16 20:33:50 AKDT 2019


[replying to AKLUG only]

FYI, Slackware released a patch to rdesktop to fix "many security issues".

If your distro hasn't released patches yet, you may want to check on that. If you run public-facing RDP and haven't patched yet, you should REALLY check on that. If you don't use RDP, but have public-facing RDP ports open anyway and still haven't patched, you should REALLY REALLY check on that. :)

--
Bryan Medsker
bryan at gnomon.xyz


----- Original Message -----
> From: "Royce Williams" <royce at tycho.org>
> To: "AKLUG" <aklug at aklug.org>, nuga at groups.io
> Sent: Wednesday, May 15, 2019 6:47:13 AM
> Subject: [aklug] wormable remote vuln in RDP

> [cross-posting to AKLUG and NUGA]
> 
> Along with the rest of the flood of vuln reports yesterday, Microsoft's Patch
> Tuesday included patches for a remote RDP bug:
> 
> [
> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
> |
> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
> ]
> 
> It's very wormable - and also likely to be great fodder for ransomware. It's bad
> enough that for the second time ever, they're supplying patches for unsupported
> OSes:
> 
> [
> https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/
> |
> https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/
> ]
> 
> If you can't patch, and your RDP is public on purpose, one mitigation is to
> enable Network Level Authentication, which requires auth before you can attempt
> to log in:
> 
> [ https://en.wikipedia.org/wiki/Network_Level_Authentication |
> https://en.wikipedia.org/wiki/Network_Level_Authentication ]
> 
> Another mitigation is to block 3389 at your border. If you are a provider, this
> can be tricky because many people are using direct RDP from the public Internet
> as a maintenance or workflow path.
> 
> Public RDP is not a recommended practice. If you are using direct public RDP,
> put it behind a VPN.
> 
> I've scanned my known Alaskan IP space:
> 
> [ https://www.techsolvency.com/alaskan-networks/ |
> https://www.techsolvency.com/alaskan-networks/ ]
> 
> ... for RDP, not for the vuln. (At this writing, there is no scanner or POC.).
> At this writing, about 830 Alaskan systems have public RDP enabled. I am
> working with providers to give them the list for potential action, but any such
> action beyond their own gear is likely to be a courtesy only (so I would take
> action now and not wait for it).
> 
> I'm sure that many people are trying to reverse-engineer the patches as we
> speak, so I recommend surveying your attack surface quickly.
> 
> (Disclaimer: this is just me personally investigating and raising the issue, not
> $DAYJOB-related, and is just a nudge for folks to consult their respective
> geeks and take action)
> 
> Royce
> 
> 
> _______________________________________________
> aklug mailing list
> aklug at aklug.org
> https://lists.aklug.org/mailman/listinfo/aklug


More information about the aklug mailing list