- Threat Intelligence
- Alert: Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability (CVE-2019-0708)
Alert: Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability (CVE-2019-0708)
- Source:SANGFOR Security Center
- Date Published:2019-05-30
Remote Desktop Component
The Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. Clients exist in most versions of Microsoft Windows and other modern operating systems. RDP server exists in a Microsoft Windows operating system, receiving requests from clients to connect user to another computer with a help of graphical interface or remote system over Internet connection. By default the server listens on TCP port 3389 for requests sent from clients over RDP connection.
In normal circumstances, RDP or remote session are configured on a server in enterprise network that allows distributed clients to connect. It can be used to manage, access remotely and deliver applications centrally. This protocol is often used by computer administrators to remotely access a user's computer and do troubleshooting. If RDP is not configured properly or has vulnerability, it may pose risks to enterprise, since unauthorized users will be able to access core business system in that corporate network.
As of now, more than 1.25 million assets around the globe are RDP-capable. The top two countries owning the most RDP-capable assets are China and Germany respectively, while China has much more than Germany.
(Statistics come from FOFA, based on assets open to the Internet)
Figure 1 Global RDP-capable Asset Distribution Around the Globe
According to the data, RDP is most used in China, with the broadest users. The top three provinces owning the most RDP users are Beijing, Zhejiang and Guangdong. Users from Beijing have reached 864,982, Zhejiang has more than 570,000 and Guangdong has 270,000. Protection against this RDP vulnerability should be especially addressed.
(Statistics come from FOFA, based on assets open to the Internet)
Figure 2 RDP-capable Asset Distribution in China
CVE-2019-0708 is a critical remote code execution vulnerability. It allows an attacker to exploit the vulnerability on a vulnerable machine that is running RDP and sending requests to a target machine. This vulnerability is pre-authentication and requires no user interaction. Unauthenticated actors can install application and exploit this vulnerability to view, change, or delete data, or create new accounts with full user rights.
This vulnerability may be written and incorporated to any future malware to propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.
Remote desktop protocol supports setting up connection between clients and servers and defines virtual channels to transfer data between them. A virtual channel is a bidirectional data tunnel and can be used for RDP based extension. By using RDP, Windows Server 2000 defines 32 Static Virtual Channels (SVC) and Dynamic Virtual Channels (DVC) due to restrictions on the number of channels. DVCs are included by SVCs. An SVC is established when a session starts and kept until the session is terminated but whether a DVC can be established or aborted is determined by the needs.
In the patch released by Microsoft, the two functions in termdd.sys, IcaBindVirtualChannels and IcaRebindVirtualChannels, are used to bind to the 32 SVCs.
As shown in Figure 1, RDP Connection Sequence starts before security commencement, which provides chances for attackers to exploit the vulnerability (CVE-2019-0708).
Figure 3 RDP Connection Sequence
The channel named "MS_T120" is bound with the reference channel with the index number 31 at the time of GCC Conference Initialization and only used in Microsoft. There is no documented legitimate reason for a typical client application to establish an SVC using this channel name to connect to an RDP server.
Figure 2 shows a standard GCC Conference Initialization.
Figure 4 GCC Conference Initialization
However, attackers can use the MS_T120 channel name on a channel index other than 31 during GCC Conference Initialization, which may cause a heap memory corruption and remote code execution.
Figure 5 displays abnormal requests initiated at the time of GCC Conference Initialization.
Figure 5 Abnormal Requests During GCC Conference Initialization
3. Patched Functions
The figure below illustrates the components related to management of the channel MS_T120. rdpwsx.dll and rdpwp.sys files are responsible for allocating heap memory to the channel MS_T120. Heap memory corruption occurs in termdd.sys when the MS_T120 reference channel is processed within the context of a channel other than 31.
Figure 6 RDP Related Components
By analyzing the patch released by Microsoft to fix the vulnerability (CVE-2019-0708), we found that it patched the two functions in RDP driver (termdd.sys): _IcaBindVirtualChannels and _IcaRebindVirtualChannels.
Figures 5 and 6 show that Microsoft patches the functions by adding check for a client connection request using the channel name of MS_T120" and ensures it binds to the channel 31 (1Fh) only.
Figure 7 Patched Function Analysis
Figure 8 Patched Function Analysis
The above are the analysis details we have made as of now. We will keep tracking of this vulnerability continuously.
Microsoft Windows XP
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2003
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 7 for 32-bit Systems SP1
For Sangfor NGAF customers, simply update to the latest corresponding security protection feature.
1. Install the security update patch released by Microsoft in time:
Microsoft fixed the vulnerability on May 14, 2019. Users can install Microsoft security updates. Download the patch from the following link:
Security updates for Windows Server 2003 and Windows XP, which are not supported by Microsoft updates:
2. Mitigation (an alternative if Microsoft security updates are not available):
- If users do not need to use Remote Desktop Services, it is recommended to disable the service.
- Turn on Network Level Authentication (NLA) for Windows 7, Windows Server 2008, Windows Server 2008 R2.
- Temporarily modify the RDP connection port. The default port is 3389.
- Use ACL to restrict sources of RDP access.
- Use the RDP gateway to securely send traffic from the remote client to the local device. RDP gateways can prevent or minimize remote access and give organizations better control over user roles, access rights, and authentication needs.
The above mitigation measures can only temporarily and partially mitigate the system for this vulnerability. It is strongly recommended to install Microsoft security updates as soon as possible.