Microsoft RDP Pre-authentication Vulnerability

By   ISBuzz Team
Writer , Information Security Buzz | May 20, 2019 07:30 am PST

It has been reported that fears of a massive global computer virus outbreak have prompted Microsoft to issue security updates for very old versions of its Windows software.One patch is for Windows XP, which debuted in 2001 and Microsoft stopped supporting in 2014. Microsoft said the patch closed a hole that could be used to spread a virus. Malicious hackers exploiting it could kick off a worldwide outbreak like the 2017 Wannacry worm, which hit thousands of machines. 

Oleg Kolesnikov, Vice President of Threat Research and Head of Research Labs at Securonix:

“The new critical Microsoft RDP pre-authentication vulnerability (CVE-2019-0708) is currently being actively discussed in the security community. One of the reasons why this is viewed as a very serious issue is not only because it is remotely exploitable, does not require authentication, and involves a significant attack surface with Remote Desktop Protocol (RDP) being so prevalent and frequently used by malicious threat actors, but also because this security issue was serious enough for Microsoft to release a patch for end-of-life (EOL) OS components including Windows XP, which does not happen very often. This did happen in case of the MS17-010 ETERNALBLUE security issue in 2017, where Microsoft released an out-of-band security patch involving EOL components. This is one of the reasons why some of the security researchers view this new RDP pre-authentication security issue as the issue that can be used in the next-gen Wannacry/ETERNALBLUE-like worm. However, it is important to note that, when Microsoft issued the Wannacry patch, the exploit for the MS17-010 security issue used in Wannacry, ETERNALBLUE, was already publicly available. This is not the case for the new CVE-2019-0708.

Still, the details available about this critical security issue indicate that this can have a significant impact even though there may not yet be a publicly available exploit. Specifically, we go into a lot of detail of the Wannacry ETERNALBLUE exploit with my students in the cybersecurity classes at Northeastern, and one of the key takeaways about the vulnerabilities used in Wannacry/NotPetya/ETERNALBLUE vs. the new Microsoft RDP pre-authentication vulnerability in terms of the likely real-world attack impact is the fact that the original ETERNALBLUE SMB exploit was fairly complex (effectively, three different vulnerabilities were combined in a single exploit) and required on the order of 50-60 kernel non-paged pool grooming memory allocations to enable remote code execution (RCE), which was fairly noisy in terms of the ability for the blue team to detect the malicious activity on the targets. Also, the exploit was not triggered at all times, and often required running for some time before successful RCE, sometimes causing targets to reboot when the relevant Windows LSASS service crashed.  Despite all of the limitations and complexity, as we have seen, the Wannacry and NotPetya ransomware using the ETERNALBLUE exploit had massive impact around the world in 2017. In contrast to Wannacry/ETERNALBLUE SMB vulnerability, the new RDP pre-auth vulnerability appears to be less complex to exploit (based on unconfirmed reports, likely a single vector is leveraged e.g. IcaBindVirtualChannels/IcaReBindVirtualChannels/termdd.sys), and the attack surface involved appears to be comparable if not larger.

Furthermore, while we currently are not aware of a known public exploit for this issue, we are aware that Microsoft released patches for this, and one of the problems with patches is that they can typically be reverse engineered and used to reconstruct the exploit, so it’s only a matter of time before malicious threat actors are able to exploit this effectively. In fact, based on our security monitoring, there have been some reports of this or a very similar Windows pre-authentication security vulnerability that was likely offered for sale on one of the underground market around September 2018 for about US$500k, which indicates that the known exploit for this high-profile vulnerability may already be available to malicious threat actors.”

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x