Shulou(Shulou.com)06/02 Report--

This article shows you an example analysis of RDP remote vulnerability CVE-2019-0708 being discovered and exploited in the field for mining. The content is concise and easy to understand, and it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Document information number QiAnXinTI-SV-2019-0006 keyword RDP CVE-2019-0708 release date May 15, 2019 update date November 02, 2019 TLPWHITE analysis team Chi Anxin virus response Center notice Overview

On May 15, 2019, Microsoft released a list of May patch updates in which there is a RDP (remote Desktop Service) remote code execution vulnerability marked as serious, which can be exploited by attackers to gain full control of the machine remotely without user authentication by sending specially constructed malicious data to execute malicious code on the target system. The main devices affected by this vulnerability are Windows 7, Window Server 2008 and Windows 2003 and Window XP operating systems that Microsoft no longer supports, and the systems involved are still widely used in China, so the impact of this vulnerability is huge. By September 7, 2019, the Qianxin Global Hawk system evaluates that there are still 100000 affected RDP servers on the Internet that can be directly attacked. Because the vulnerability exploitation does not require user interaction combined with a huge impact surface, it means that the vulnerability is very likely to be exploited by worms. If the exploitation is stable, it may lead to a situation similar to the proliferation of WannaCry worms.

The Red Raindrop team of Qi'an Information threat Intelligence Center immediately followed the vulnerability and maintained its attention. It has been confirmed that the use of this vulnerability can at least stably trigger the blue screen crash of the affected system, resulting in a denial of service. By May 31st, there have been public channels to release POC code that can cause the system blue screen to crash. An attempted attacker can use this POC tool to perform a remote denial of service attack against a large number of vulnerable systems. By September 7, 2019, Metasploit modules that can lead to remote code execution have been released to the public. With the spread of related technologies, it has become a real security threat at worm level. On November 2, 2019, researchers discovered a field attack that exploited this vulnerability.

Microsoft has released security patches for this vulnerability (including old operating systems that no longer provide technical support), and users are strongly advised to install patches or other mitigation measures immediately to avoid related threats.

Vulnerability summary

Vulnerability description

The vulnerability exists in Windows's Remote Desktop Services (remote Desktop Service). The technical details are known but will not be detailed here. The exploitation of the vulnerability can be triggered to cause arbitrary instruction execution by constructing malicious requests without user verification, and the system is subject to unauthorized control.

Impact area assessment

This vulnerability affects Windows 7, Window Server 2008 and Windows 2003 and Window XP operating systems that Microsoft no longer supports. At present, through technical evaluation, there are still a large number of unpatched RDP services online. Moreover, by September 7, 2019, there have been public channels to release vulnerabilities that can lead to remote command execution, using the Metasploit module to release, forming a very clear and urgent worm-level real threat. At present, there are a large number of unrepaired vulnerabilities in China, which need to be taken seriously.

Vulnerability-related event timeline

The Chi Anxin threat Intelligence Center summarizes the timeline from Microsoft's vulnerability announcement to the discovery of field attacks that exploit this vulnerability:

1. May 14, 2019

Microsoft issued a security announcement and corresponding patch for remote Desktop Service code execution vulnerability CVE-2019-0708, and specifically issued a special description for this vulnerability, suggesting that this is a serious vulnerability that may lead to the spread of worms.

2. May 15, 2019

Qianxin threat Intelligence Center issued vulnerability early warning and disposal plan, and then Qianxin security product line released vulnerability detection and repair tools.

3. 22 May 2019

The Qianxin Red Raindrop team released a non-destructive vulnerability scanning tool and updated it to the Qianxin vulnerability detection and repair tool.

4. May 23, 2019

POC programs with non-destructive vulnerability scanning function have appeared in public channels of the Internet.

5. May 25, 2019

Hackers began to scan for vulnerable devices on a large scale.

6. 30 May 2019

Microsoft once again issued a reminder to fix the CVE-2019-0708 vulnerability. Based on the severity of the vulnerability, users are strongly advised to upgrade and fix it as soon as possible.

7. 31 May 2019

POC codes that can lead to blue screens have appeared in public channels on the Internet. The Red Raindrop team of Qianxin threat Intelligence Center has confirmed the availability of POC codes, and real threats related to vulnerabilities have further escalated.

Combined with the situation that hackers have scanned and collected vulnerable devices on a large scale, it is very likely that hosts with vulnerabilities in reality will be attacked in bulk, resulting in a large-scale denial of service. Qianxin threat Intelligence Center reminds you to check the assets and repair the vulnerabilities of the equipment.

8. 31 July 2019

The commercial exploit kit Canvas adds a vulnerability exploitation module to CVE-2019-0708.

9. September 7, 2019

An open channel Metasploit CVE-2019-0708 vulnerability exploitation module has been released, and the availability of the attack module has been verified, which currently poses a real worm threat.

10. November 2, 2019

A real attack using CVE-2019-0708 vulnerability is found in the field, and Payload is a mining program.

Disposal suggested repair method

1. At present, the software manufacturer Microsoft has released the corresponding patch for the vulnerability, and it is recommended that the relevant upgrade be carried out.

Https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0708#ID0EWIAC

Patches for Windows XP and Windows 2003 can be downloaded at the following link:

Https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708

Temporary solution

1. If the patch cannot be updated temporarily, you can temporarily circumvent the impact of this vulnerability by enabling network and authentication (NLA) on the system.

two。 On the periphery of the enterprise, the firewall blocks the connection to TCP port 3389, or filters the access source to the relevant servers, allowing only trusted IP connections.

3. If there is no clear need, you can disable the remote desktop service.

The above is an example analysis of RDP remote vulnerability CVE-2019-0708 being discovered and exploited in the field for mining. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.