Remote Desktop Services Remote Code Execution Vulnerability

CVE-2019-0708

Security Vulnerability

Released: May 14, 2019

Assigning CNA: Microsoft

CVE.org link: CVE-2019-0708

Executive Summary

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.

Exploitability

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

Publicly disclosed: No
Exploited: No
Exploitability assessment: N/A

Mitigations

The following mitigation may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave Remote Desktop Services disabled:

1. Disable Remote Desktop Services if they are not required.

If you no longer need these services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.

Workarounds

The following workarounds may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave these workarounds in place:

1. Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2

You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.

2. Block TCP port 3389 at the enterprise perimeter firewall

TCP port 3389 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.

Acknowledgements

The UK's National Cyber Security Centre (NCSC)

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgements for more information.

Security Updates

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.

Release date Descending

Release date

Product

Platform

Impact

Max Severity

Article

Download

Build Number

May 14, 2019

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Remote Code Execution

Critical

May 14, 2019

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Remote Code Execution

Critical

May 14, 2019

Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1

Remote Code Execution

Critical

May 14, 2019

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Remote Code Execution

Critical

May 14, 2019

Windows Server 2008 for x64-based Systems Service Pack 2

Remote Code Execution

Critical

May 14, 2019

Windows Server 2008 for Itanium-Based Systems Service Pack 2

Remote Code Execution

Critical

May 14, 2019

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Remote Code Execution

Critical

May 14, 2019

Windows Server 2008 for 32-bit Systems Service Pack 2

Remote Code Execution

Critical

May 14, 2019

Windows 7 for x64-based Systems Service Pack 1

Remote Code Execution

Critical

May 14, 2019

Windows 7 for 32-bit Systems Service Pack 1

Remote Code Execution

Critical

All results loaded

Loaded all 10 rows

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

version

revisionDate

description

1.0

May 14, 2019

Information published.

How satisfied are you with the MSRC Security Update Guide?