H-ISAC TIC Vulnerability Bulletin

Date: 7/24/2019 (originally issued 5/14/2019)
Event:  Update: CVE-2019-0708 Remote Desktop Services Remote Code Execution Vulnerability
Update Notes:  (7/24/2019)

1.       More manufacturers added to the attached appendix along with a link to their public advisory
2.       Added mention of availability of Immunity CANVAS exploit module.

The only requirement for exploitability is the ability to communicate with the RDP server. Multiple individuals and groups at Zerodium, McAfee, Qihoo 360, RiskSense, Sophos, and others have privately developed working Remote Code Execution (RCE) exploits, but have not made them publicly available. Immunity has an exploit module in their CANVAS product. No active exploitation has been observed in the wild at this time, but there are publicly available exploits that can cause Denial of Service (DoS).

Most vulnerability scanning vendors10,11 should be able to detect the presence of the associated KBs and remotely detect the vulnerability and if Network Level Authentication is required or not. There are also multiple dedicated tools12,13,14 to detect the vulnerability including a Metasploit module15. Many security vendors have partial "signatures" for detecting/preventing exploitation but they only work when not using TLS which some Proof of Concept (PoC) exploits are starting to use. Members should consult with their respective endpoint security & vulnerability scanning vendors for further information. There are multiple Internet search engines and reporting services16,17,18,19 that can help to identity external RDP servers, but be aware that some ISPs block them so they may not be comprehensive.
Assessment:  There's a remotely exploitable, wormable, pre-authentication vulnerability in a very popular server (initial reporting showed almost 1 million (RHS Notes: Current published number is ~800,000) vulnerable RDP servers accessible on the Internet). The healthcare vertical makes heavy use of internet-facing RDP servers to enable various business and support functions. It is likely that significant vertical-wide disruptions will occur when the exploit is eventually made public.

Recommended Course of Action (COA):
•         Consider requiring Network Level Authentication as an immediate short-term partial mitigation or disabling RDP on systems that don’t require it.
•         Execute emergency patching procedure. Ensure external and internal systems are fully patched.
•         Consider any network links with third-parties and assess potential impact if the third party should be compromised.
•         Identify external assets with RDP enabled and remediate immediately.
•         Contact supply chain partners to ensure affected devices are patched.