May 16, 2019

Microsoft Patches Windows 2003 and 2008 RDP with CVE-2019-0708

CVE-2019-0708 and Remote Desktop Services

On May 14, 2019, Microsoft released a patch for Windows 2003, Windows 2008, and Windows 2008 R2 servers. The specific patch mitigates the possibility that an attack could happen via Remote Desktop Protocol (RDP).   It is important to note that RDP is not by itself vulnerable.  This exploit is pre-authentication and does not require user interaction.  If exploited, the vulnerability could spread to other vulnerable servers in a worm-like fashion.  To exploit this vulnerability, an attacker would need to send a specially crafted request to the server via RDP.  The exploit could then run code to take over control of a system, delete files, and/or install programs.

Is there an exploit available for this yet?

At the time of this writing, there is not a public exploit available.  However, given the severity of the patch (Critical), it is likely only a matter of time before an exploit becomes available.

Which server versions are affected?

Windows 2003, Windows 2008, and Windows 2008 R2.  While Windows 2003 is no longer supported by Microsoft, this is an out of band patch that is being released. Customers should consider migrating away from Windows 2003 to a supported OS.

Our servers are protected by VPN though.  Does that help mitigate the risk?

While DataBank always recommends locking down ports on the firewall and using secure methods of connecting to a server, such as via VPN, this does not prevent an exploit from occurring.  While a VPN does lower the surface area of an attack as the communication is encrypted and the RDP service is not opened externally, the risk still exists until the patch is deployed.  The risk can also be partially mitigated with Network Level Authentication (NLA) in that the exploit would not spread to other vulnerable systems with NLA enabled.  DataBank recommends deploying the patch as soon as possible.

Where can I download the patch and apply it?

More information on the patch and how to download it is available in the Microsoft Update Catalog.