Author: Samuel Trommel, Security Expert WorldStream
Joe Tammariello of Carnegie Mellon University (Pittsburgh) Software Engineering Institute (SEI) discovered a zero-day vulnerability in the Microsoft Windows Remote Desktop Protocol (RDP), CVE-2019-9510. This can bypass Windows security and allow attackers to gain access to an affected remote server system, which could allow client-side attackers to bypass the lock screen on remote desktop (RD) sessions. The vulnerabilities in the RDP protocol start with Windows 10 as of version 1803 that was released in April 2018, and Windows Server 2019.
These researchers have shared their findings with Microsoft, so Microsoft is aware of the vulnerability, but unfortunately no appropriate countermeasures are in place yet to prevent these server systems from being compromised. It means that many internet-facing servers, including those deployed in WorldStream’s datacenters, are still vulnerable to cybersecurity risks such as ransomware. WorldStream hopes that Microsoft comes up with a proper patch soon, probably next Tuesday, June 11. Until then, our advise would be to:
– Enable an IP Whitelist in the Windows Firewall with the trusted IP addresses that are allowed to gain access to the Windows-based server system.
– Another option would be to turn off RDP completely and manage the Windows-based servers through Remote Management Console (RMC) instead, if available.
We would advise to only use the latter option when patching for the recent ‘BlueKeep’ RDP wormable vulnerability (CVE-2019-0708) did not work for whatever reason. BlueKeep was a more critical vulnerability than this one, but CVE-2019-9510 can still do quite some harm. To prevent the Windows servers from being exploited by BlueKeep, you just have to update to the latest Windows version which will then patch the vulnerability.
When Microsoft will bring out their patch for this CVE-2019-9510 vulnerability, hopefully next Tuesday, June 11, WE would strongly advise to update the Windows server systems immediately.
CVE-2019-9510 Vulnerability Explained
How it works? Microsoft Windows RDP is supporting a feature that is called Network Level Authentication (NLA). Through this feature, the authentication element of a remote session is being moved from the RDP layer to the network layer. The use of this NLA feature is recommended as it would reduce the attack surface of servers exposed using the RDP protocol.
The handling of NLA-based RDP sessions has changed though, in a way that happens to cause unexpected behavior when it comes to session locking. When a network anomaly would trigger a temporary RDP disconnect, according to the researchers from Carnegie Mellon University, upon automatic reconnection the RDP session will be restored to an unlocked state, regardless of how the remote server system was left by an administrator.
IP Whitelisting as a Security Policy
For security purposes in general it would be wise to IP whitelist access to Remote Management Protocols like eg. RDP, SSH and VNC. Windows RDP access is not enabled by default. The setup can be arranged through the Server Manager where the RDP connection has to be enabled in the Windows Firewall.
به نقل از ورداستریم
مدیریت سرور پشتیبانی و مشاوره – ثبت دامنه