According to the information provided by Microsoft, for successful operation it is only necessary to have network access to a host or server with a vulnerable version of the Windows operating system. This allows to exploit the vulnerability directly from the Internet, without an additional delivery method, in case the system service is published on the perimeter. Recommendations on protection measures under the cut.
At the moment, the vulnerability is relevant for several dozens of organizations in Russia and more than 2 million organizations in the world, and the potential damage from the delay in prompt response and taking protective measures will be comparable to the damage caused by the vulnerability in the SMB protocol CVE-2017-0144 (EternalBlue).
To exploit this vulnerability, an attacker simply needs to send a specially crafted request to the remote desktop service of the target systems using RDP (the RDP protocol itself is not vulnerable).
It is important to note that any malware that uses this vulnerability can spread from one vulnerable computer to another in a manner similar to the WannaCry cipher that spread throughout the world in 2017.
The affected versions of Windows OS are:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation
Windows XP SP3 x86
Windows XP Professional x64 Edition SP2
Windows XP Embedded SP3 x86
Windows Server 2003 SP2 x86
Windows Server 2003 x64 Edition SP2
We recommend promptly:
- In the case of a previously published RDP service on the outer perimeter for a vulnerable OS, close this access until the vulnerability is resolved.
- Install the necessary updates of the Windows OS, starting from the nodes on the perimeter and beyond for the entire infrastructure: patch for Windows 7, Windows 2008, Windows XP, Windows 2003.
Possible additional compensating measures:
- Enable Network Level Authentication (NLA). However, vulnerable systems will still be vulnerable to the use of remote code execution (RCE) if an attacker has valid credentials that can be used for successful authentication.
- Turning off the RDP protocol until the update and the use of alternative methods of access to resources.