Last week Microsoft released a fix for a critical Remote Code Execution vulnerability, CVE-2019-0708. It resolves a vulnerability in the RDP service implementation– the RDP protocol itself is not affected. Microsoft broke its own patching policy and published freely available security patches even for out of support operating systems. This fact demonstrates how serious this matter should be taken.
This vulnerability is ‘wormable’, like WannaCry was in 2017 or Stuxnet back in 2008. But what does this mean? This means the vulnerability can be triggered without authentication or user interaction. Therefore, malware could exploit the vulnerability fully automated and spread in your network autonomously.
A few days ago, only Microsoft had a Proof of Concept for the vulnerability, but this seems not to be the case anymore. Some of our larger industrial customers already report that can identify at least attempts of exploitation of the vulnerability on their systems. It may be assumed that malware authors have unsurprisingly been very busy developing working exploits and are using them. This shows that time is crucial right now, and that measures need to be taken to protect your system against exploitation.
It is mainly older Windows versions that are affected like Windows 2003, Windows XP, Windows Server 2008, Windows Server 2008 R2 and Windows 7. For IT, this might not be a huge issue, but in OT, many industrial control systems still use the majority of those operating systems in production. Many of those PC-based systems, like Human Machine Interfaces (HMIs), Engineering Workstations (EWS) running XP or Windows 7, or possibly even Control Servers/SCADA Masters e.g. running Windows Server 2003/2008 are affected by this vulnerability, if they run Remote Desktop Services.
When you are running industrial control systems however, you might not be able to push your patch to the shopfloor immediately. Before you deploy a patch, you want to be sure that it will not break the actual control functionality of your system.
As a mitigation until you have verified patch compatibility, we highly suggest you should ensure that you deactivate the RDP port through firewalling measures. This ensures it is not accessible from outside your company’s network. Furthermore, Microsoft suggests there is a partial mitigation when the system has Network Level Authentication (NLA) activated. This does not resolve the vulnerability, but the attacker must successfully authenticate first. This makes it harder to exploit the vulnerability for an attacker without credentials. Patching, even when NLA is activated, is highly recommended nonetheless. For legacy systems which are out of support already, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) might be an option as well, however it requires compatibility testing with your OT applications as any software change.
In case you are on Windows 7, Windows Server 2008 or Windows Server 2008 R2 you will be provided with the patch via the automatic update service. If you are still running Windows XP or Windows 2003 you need to load the patch from a different Microsoft page and push it to your systems yourself.