4:40pm, 5 November 2019
TLP Rating:
Critical vulnerability in Microsoft remote desktop services
Updated from 15 May 2019
Earlier this year, Microsoft published patches for a critical vulnerability in remote desktop services. This vulnerability affects older versions of Windows, including versions that are out of support.
Security researchers report that this vulnerability is now being actively exploited. Reports state attackers are using the Bluekeep exploit to compromise unpatched systems and install a cryptocurrency miner.
CERT NZ strongly recommends users of the affected Microsoft products to follow the mitigation advice in this advisory.
What's happening
Systems affected
Microsoft has published information about a critical vulnerability affecting older versions of Windows. They have released patches for the following versions:
- Windows 7
- Windows Server 2008 R2
- Windows Server 2008
- Windows Server 2003
- Windows XP.
Patches for supported versions of Windows External Link
Microsoft have taken the unusual step of releasing patches for legacy systems:
Patches for unsupported versions of Windows External Link
The following versions of Windows are not affected:
- Windows 8
- Windows 10
- versions of Windows Server since Server 2012.
What this means
Microsoft has released information about, as well as patches for, a critical remote code execution vulnerability. This affects remote desktop services for older versions of Windows.
The vulnerability is wormable, occurs pre-authentication and requires no user interaction.
While this vulnerability isn’t being actively exploited at this point, any future malware that exploits this vulnerability could propagate between vulnerable networks, as we observed in the 2017 WannaCry attacks.
What to look for
How to tell if you're at risk
You are at risk if you are running:
- Windows 7 or older, or
- Windows Server 2008 R2 or older,
and haven’t applied the latest security patches.
What to do
Prevention
CERT NZ strongly recommends that Windows users ensure that their systems are currently patched and up-to-date.
Currently supported versions are:
- Windows 7
- Windows Server 2008 R2
- Windows Server 2008.
Patches for supported versions of Windows External Link .
Unsupported versions are:
- Windows Server 2003
- Windows XP.
Patches for unsupported versions of Windows External Link .
It’s important users of these systems apply these patches immediately, if they have not already been applied. Due to its critical nature, CERT NZ recommends patching as soon as possible.
For users of the following systems, there is no action to take as these systems are not affected:
- Windows 8
- Windows 10
- Server 2012 or newer.
Mitigation
CERT NZ recommends disallowing RDP access from the internet if you don’t need it. If you need remote access, configure a VPN with multi-factor authentication, rather than expose RDP to the internet
A partial mitigation is to enable network-level authentication. However, as this is not a complete mitigation, patching is still required.
More information
CERT NZ's multi-factor authentication advice
Windows Security Support External Link
CVE-2019-0708 Microsoft security vulnerability advisory External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384.
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.