Carnegie Mellon University School of Computer Science
May 15, 2019

Critical Windows Vulnerability - Patch Now

Windows 7, XP, Windows Server 2008 and others affected.

This event has expired. Its previous status was Ongoing.

Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (CVE-2019-0708)

PLATFORMS AFFECTED:
Update/Patch Available: Windows 7, XP, Windows Server 2008 R2, 2008, 2003
Update/Patch Not Available: Windows Vista

RELATED PLATFORMS NOT AFFECTED:
Windows 10, 8, 8.1
Windows Server 2019, 2016, 2012 R2, 2012

CRITICAL IMPACT:
Remote Code Execution

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using Remote Desktop Protocol (RDP) and sends specially crafted requests.

This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.

Microsoft has not observed exploitation of this vulnerability in the wild as of yet. Exploit code has not been made public yet either. However, it is expected that the patches will be reverse engineered and malware created to exploit this flaw in short order.

Please Note: The CMU Information Security Office will take necessary actions to mitigate risk, including the possibility of notifying and suspending vulnerable system network access if not patched within 24 hours of notification.

WHAT YOU HAVE TO DO:

Supported SCS Windows Computers:

SCS Computing Facilities will be deploying patches on May 15th, 2019 at 6:00pm EST. Once patched, reboot your computer if prompted to ensure the security updates have been applied. At that time you can also update your system manually. If you have an SCS-supported computer still running an unsupported version of Windows, please take action to upgrade your computer to a supported Windows 10 build/version.

Unsupported Windows Computers:

If you run a computer that is not supported by SCS and upgrading is not feasible, manually download and apply these special patches from the Microsoft Update Catalog (Windows Update does NOT work on Out-of-Support platforms). See https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708.

If patching is not feasible, isolate the affected system from the campus network by disabling/disconnecting networking.

If network access is required, isolate the affected system by using a proxy, NAT gateway, or firewall and expose server services to as limited a network scope as possible (do not expose them to the Internet).

NOTE: While the campus border blocks the default RDP port of TCP 3389 to mitigate brute forcing, if you have configured the Remote Desktop Service to use a different port to bypass that block for convenience, we encourage you to change back to the default port and use the campus VPN to tunnel your remote RDP connections.