Microsoft has released security updates to address a remote code execution vulnerability (CVE-2019-0708) in Remote Desktop Services on the following operating systems:
- Supported systems:
- Windows 7,
- Windows Server 2008 R2, and
- Windows Server 2008
- Systems that are no longer supported:
- Windows 2003 and
- Windows XP
A remote attacker could exploit this vulnerability to take control of an affected system.
CISA (Cybersecurity and Infrastructure Security Agency) encourages users and administrators to review the Microsoft Security Advisory and Microsoft Customer Guidance for CVE-2019-0708 and decide on the correct mitigation for your organization. Here are some common mitigation options:
- Upgrade to Windows 10
- Disable Remote Desktop Services if they are not required
- Workaround options:
- Enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.
- TCP port 3389 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.