Critical Windows RDP issues - patch now!
Now is a good time to make sure that your Windows computers, particularly lab workstations and scientific instrument controllers, are fully patched. In particular, any computers that are connected to the campus network and running remote access services must be kept up to date on security patches. A security incident with your computer or lab device can result in severe disruption of your work, including potential data loss due to ransomware.
Vulnerabilities in Windows Remote Desktop:
Three separate critical vulnerabilities affecting the Windows Remote Desktop service were discovered in the last several months.
All three vulnerabilities can be exploited pre-authentication, meaning the attacker does not need to obtain an account password in order to seize control over a vulnerable computer. Exploitation requires no user interaction. These vulnerabilities affect computers that are running Window Remote Desktop services to receive inbound remote access sessions. They do not affect the Remote Desktop client software that users would use to connect in to computers running Windows Remote Desktop services.
All versions of Windows, including older versions, are affected by at least one of these three vulnerabilities.
Patches are available:
The first of the three vulnerabilities, CVE-2019-0708, was dubbed "BlueKeep" in the security press, and affects older versions of Windows, up to and including Windows 7 — specifically Windows 7, Windows Server 2008 R2, and Windows Server 2008, as well as the unsupported Windows 2003, Windows XP and Windows 2000. Microsoft was sufficiently concerned about an exploit for this problem being incorporated into a self-propagating worm that they released patches for two of the affected unsupported versions of Windows: Windows XP and Windows 2003. Special attention may be required in order to make sure that these older operating systems receive the patch. Note, however, that IMSS does NOT recommend running Remote Desktop or any other remote access service on unsupported operating systems. Computers running unsupported operating systems should be behind firewalls if they must be used at all, and should not run network-accessible services. More information about securing lab computers can be found on the IMSS website here.
The other two vulnerabilities affecting the Windows Remote Desktop service, which are sometimes referred to as BlueKeep II and III, are CVE-2019-1181 and CVE-2019-1182 and each affect all current versions of Windows: Windows 7 SP1 (if either RDP 8.0 or 8.1 is installed), Windows Server 2008 R2 SP1 (if either RDP 8.0 or 8.1 is installed), Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions.
The best way to address these vulnerabilities is to apply the patches, by running Windows Update for supported operating systems or by manually applying the patches using the links above.
While restricting access to Remote Desktop at the network level can help mitigate this vulnerability, it is not a substitute for patching, as a vulnerable system could still be completely compromised via an infected computer on the same network. If the patch cannot be applied right away, consider disabling Remote Desktop entirely until patching is feasible.
If you are running a system that cannot be patched, disable Remote Desktop and do not run remote access services of any kind on unpatchable, vulnerable systems. Contact Information Security if you need guidance about how to secure such systems.