On May 15, 2019, the emergency response center of Alibaba Cloud Security detected that Microsoft released a security patch to fix the remote code execution vulnerability (CVE-2019-0708) of Windows Remote Desktop Services (RDS). Attackers can exploit this vulnerability to obtain Windows server privileges.

Description

Microsoft released a security patch to fix the remote code execution vulnerability (CVE-2019-0708) of Windows RDS. This vulnerability has negatively impacted some earlier Windows versions. User authentication is not required. Unauthenticated users may use RDP port 3389 to connect to the target server and send specially crafted requests. This allows users to execute arbitrary commands on the target server or infect internal servers with spread worms. This vulnerability is similar to the one used to launch ransomware attacks, such as WannaCry in 2017.

Severity level

CVE-2019-0708: Critical

Affected versions

Windows 7

Windows Server 2008 R2

Windows Server 2008

Windows Server 2003

Windows XP

Vulnerability fix

Note When vulnerability fixes are applied, your machine may encounter unexpected errors that may cause your machine to crash. We recommend that you back up your data or create a system image before performing vulnerability fixes.
  • Log on to the Security Center console, choose Precaution > Vulnerabilities in the left-side navigation pane, click the Windows System tab, and click Fix to fix the vulnerability.
  • Use the vulnerability patch released on the Microsoft website to fix the vulnerability.
    • We recommend that users of Windows 7, Windows Server 2008, and Windows Server 2008 R2 install the Windows security patch.
    • We recommend that users of Windows Server 2003 and Windows XP update the system or install the Windows security patch.

Vulnerability prevention

You can use security groups and the access control feature of Cloud Firewall to protect against this RDP vulnerability.

  • If you did not purchase the Cloud Firewall service, you can use the security group feature to temporarily deny RDP ports access to inbound traffic to defend against vulnerabilities.

    The following figure shows detailed security group configurations.

    Securiy group configurations
  • If you have purchased the Cloud Firewall service, you can use Cloud Firewall north-south access control policies to control RDP and defend against vulnerabilities.
    1. Set Policy Action to Allow to allow RDP port access to inbound traffic from trusted sources.

      The following figure shows detailed configurations.

    2. Set Policy Action to Deny to deny RDP port access to inbound traffic from untrusted sources.

      The following figure shows detailed configurations.

      Access policy for untrusted sources

References

Remote code execution vulnerability (CVE-2019-0708) in Windows RDP