Microsoft recently released patches for critical vulnerabilities that can be used to create automatically propagating viruses, also known as worms. The last time vulnerabilities of this severity were identified, the resulting ransomware worms, WannaCry and NotPetya, did billions of dollars of damage around the world within hours of each worm's release. In order to avoid similar consequences, systems should be patched as soon as possible because the timeline for a worm to be created is unpredictable and there will not be time to react after a worm is released.
Because of the severity of these issues, Microsoft has taken the unusual step of releasing these patches for Windows XP and Server 2003. Any systems running these operating systems versions should also be patched as soon as possible. Any vulnerable system is likely to be destroyed by ransomware at some point in the relatively near future.
Please see below for additional information about these vulnerabilities.
RDP Vulnerability (CVE-2019-0708)
- This makes it possible to establish an RDP connection without having to authenticate. [1]
- Affects Windows 7, Windows Server 2008 R2, and Windows Server 2008.
- Also affects Windows XP and Windows 2003.
- Patches are available for all affected versions of Windows, including those out of support (XP and Server 2003).
- Though no exploits of this vulnerability have been found yet, an exploit would be able to spread like a network worm, much like the WannaCry exploit of 2017. [2] That, along with the fact that RDP is one of the more exposed services on campus, makes staying ahead of this all the more important.
Other Critical Security Vulnerabilities
Microsoft patched 21 other critical security vulnerabilities in their Tuesday patch release, including a privilege escalation vulnerability in the Windows Error Reporting (WER) service (CVE-2019-0863) [3], a remote code execution vulnerability in the Windows DHCP service (CVE-2019-0725) and multiple arbitrary code execution issues with Microsoft Edge, Internet Explorer and Microsoft Word (CVE-2019-0884, CVE-2019-0911, CVE-2019-0918, CVE-2019-0926, CVE-2019-0929, CVE-2019-0953). [4]
Recommended Action for You to Take
ISC Office of Information Security (OIS) advises schools and centers to evaluate and apply these critical patches as quickly as possible.
Actions OIS is Taking
- The campus firewall is currently blocking traffic associated with the Windows Error Reporting Service vulnerability (CVE-2019-0863). The campus firewall has yet to see any attempted exploit of CVE-2019-0863.
- There is no traffic signature available for the campus firewall to block exploit traffic against the RDP vulnerability. Should one become available, it will be applied.
- As you know, the campus maintains no single repository of hosts by operating system, so it's up to local IT shops' inventories and our campus scans to identify hosts that may be affected. To that end, we have launched a campus-wide scan using the Nessus vulnerability scanner, searching only for a host's susceptibility to these two vulnerabilities. We will send the results of the Nessus scans to your school or center's Security Liaison as soon as we have them, and we may conduct further scans to supplement those results.
Thank you for helping to keep Penn systems safe.
References
[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
[3] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0863
[4] https://blog.talosintelligence.com/2019/05/MS-Patch-Tuesday-May-2019.html