{"id":12804,"date":"2019-06-14T15:23:31","date_gmt":"2019-06-14T15:23:31","guid":{"rendered":"https:\/\/clients.afaghhosting.net\/index.php?rp=\/announcements\/378"},"modified":"2019-06-14T15:23:31","modified_gmt":"2019-06-14T15:23:31","slug":"%d8%a8%d8%a7%da%af-%d8%ae%d8%b7%d8%b1%d9%86%d8%a7%da%a9-%d8%b1%db%8c%d9%85%d9%88%d8%aa-%d8%af%d8%b3%da%a9%d8%aa%d8%a7%d9%be-rdp-zero-day-vulnerability","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/%d8%a8%d8%a7%da%af-%d8%ae%d8%b7%d8%b1%d9%86%d8%a7%da%a9-%d8%b1%db%8c%d9%85%d9%88%d8%aa-%d8%af%d8%b3%da%a9%d8%aa%d8%a7%d9%be-rdp-zero-day-vulnerability\/","title":{"rendered":"\u0628\u0627\u06af \u062e\u0637\u0631\u0646\u0627\u06a9 \u0631\u06cc\u0645\u0648\u062a \u062f\u0633\u06a9\u062a\u0627\u067e &#8211; RDP Zero-Day Vulnerability"},"content":{"rendered":"<p style=\"box-sizing: inherit; margin-top: 0px; margin-bottom: 1.4rem; color: #000000; font-family: Assistant, Georgia, 'Times New Roman', Times, serif; font-size: 16px; letter-spacing: -0.32px; background-color: #ffffff;\"><span style=\"box-sizing: inherit; font-weight: 600;\">Author:<\/span>\u00a0<em style=\"box-sizing: inherit;\">Samuel Trommel, Security Expert WorldStream<\/em><\/p>\n<p style=\"box-sizing: inherit; margin-top: 0px; margin-bottom: 1.4rem; color: #000000; font-family: Assistant, Georgia, 'Times New Roman', Times, serif; font-size: 16px; letter-spacing: -0.32px; background-color: #ffffff;\">Joe Tammariello of Carnegie Mellon University (Pittsburgh) Software Engineering Institute (SEI) discovered a zero-day vulnerability in the Microsoft Windows Remote Desktop Protocol (RDP), CVE-2019-9510. This can bypass Windows security and allow attackers to gain access to an affected remote server system, which could allow client-side attackers to bypass the lock screen on remote desktop (RD) sessions. The vulnerabilities in the RDP protocol start with Windows 10 as of version 1803 that was released in April 2018, and Windows Server 2019.<\/p>\n<p style=\"box-sizing: inherit; margin-top: 0px; margin-bottom: 1.4rem; color: #000000; font-family: Assistant, Georgia, 'Times New Roman', Times, serif; font-size: 16px; letter-spacing: -0.32px; background-color: #ffffff;\">These researchers have shared their findings with Microsoft, so Microsoft is aware of the vulnerability, but unfortunately no appropriate countermeasures are in place yet to prevent these server systems from being compromised. It means that many internet-facing servers, including those deployed in WorldStream\u2019s datacenters, are still vulnerable to cybersecurity risks such as ransomware. WorldStream hopes that Microsoft comes up with a proper patch soon, probably next Tuesday, June 11. Until then, our advise would be to:<\/p>\n<p style=\"box-sizing: inherit; margin-top: 0px; margin-bottom: 1.4rem; color: #000000; font-family: Assistant, Georgia, 'Times New Roman', Times, serif; font-size: 16px; letter-spacing: -0.32px; background-color: #ffffff;\">&#8211; Enable an IP Whitelist in the Windows Firewall with the trusted IP addresses that are allowed to gain access to the Windows-based server system.<\/p>\n<p style=\"box-sizing: inherit; margin-top: 0px; margin-bottom: 1.4rem; color: #000000; font-family: Assistant, Georgia, 'Times New Roman', Times, serif; font-size: 16px; letter-spacing: -0.32px; background-color: #ffffff;\">&#8211; Another option would be to turn off RDP completely and manage the Windows-based servers through Remote Management Console (RMC) instead, if available.<\/p>\n<p style=\"box-sizing: inherit; margin-top: 0px; margin-bottom: 1.4rem; color: #000000; font-family: Assistant, Georgia, 'Times New Roman', Times, serif; font-size: 16px; letter-spacing: -0.32px; background-color: #ffffff;\">We would advise to only use the latter option when patching for the recent \u2018BlueKeep\u2019 RDP wormable vulnerability (CVE-2019-0708) did not work for whatever reason. BlueKeep was a more critical vulnerability than this one, but CVE-2019-9510 can still do quite some harm. To prevent the Windows servers from being exploited by BlueKeep, you just have to update to the latest Windows version which will then patch the vulnerability.<\/p>\n<p style=\"box-sizing: inherit; margin-top: 0px; margin-bottom: 1.4rem; color: #000000; font-family: Assistant, Georgia, 'Times New Roman', Times, serif; font-size: 16px; letter-spacing: -0.32px; background-color: #ffffff;\">When Microsoft will bring out their patch for this CVE-2019-9510 vulnerability, hopefully next Tuesday, June 11, WE would strongly advise to update the Windows server systems immediately.<\/p>\n<p style=\"box-sizing: inherit; margin-top: 0px; margin-bottom: 1.4rem; color: #000000; font-family: Assistant, Georgia, 'Times New Roman', Times, serif; font-size: 16px; letter-spacing: -0.32px; background-color: #ffffff;\"><span style=\"box-sizing: inherit; font-weight: 600;\">CVE-2019-9510 Vulnerability Explained<\/span><\/p>\n<p style=\"box-sizing: inherit; margin-top: 0px; margin-bottom: 1.4rem; color: #000000; font-family: Assistant, Georgia, 'Times New Roman', Times, serif; font-size: 16px; letter-spacing: -0.32px; background-color: #ffffff;\">How it works? Microsoft Windows RDP is supporting a feature that is called Network Level Authentication (NLA). Through this feature, the authentication element of a remote session is being moved from the RDP layer to the network layer. The use of this NLA feature is recommended as it would reduce the attack surface of servers exposed using the RDP protocol.<\/p>\n<p style=\"box-sizing: inherit; margin-top: 0px; margin-bottom: 1.4rem; color: #000000; font-family: Assistant, Georgia, 'Times New Roman', Times, serif; font-size: 16px; letter-spacing: -0.32px; background-color: #ffffff;\">The handling of NLA-based RDP sessions has changed though, in a way that happens to cause unexpected behavior when it comes to session locking. When a network anomaly would trigger a temporary RDP disconnect, according to the researchers from Carnegie Mellon University, upon automatic reconnection the RDP session will be restored to an unlocked state, regardless of how the remote server system was left by an administrator.<\/p>\n<p style=\"box-sizing: inherit; margin-top: 0px; margin-bottom: 1.4rem; color: #000000; font-family: Assistant, Georgia, 'Times New Roman', Times, serif; font-size: 16px; letter-spacing: -0.32px; background-color: #ffffff;\"><span style=\"box-sizing: inherit; font-weight: 600;\">IP Whitelisting as a Security Policy<\/span><\/p>\n<p style=\"box-sizing: inherit; margin-top: 0px; margin-bottom: 1.4rem; color: #000000; font-family: Assistant, Georgia, 'Times New Roman', Times, serif; font-size: 16px; letter-spacing: -0.32px; background-color: #ffffff;\">For security purposes in general it would be wise to IP whitelist access to Remote Management Protocols like eg. RDP, SSH and VNC. Windows RDP access is not enabled by default. The setup can be arranged through the Server Manager where the RDP connection has to be enabled in the Windows Firewall.<\/p>\n<p style=\"box-sizing: inherit; margin-top: 0px; margin-bottom: 1.4rem; color: #000000; font-family: Assistant, Georgia, 'Times New Roman', Times, serif; font-size: 16px; letter-spacing: -0.32px; background-color: #ffffff;\">\u0628\u0647 \u0646\u0642\u0644 \u0627\u0632 \u0648\u0631\u062f\u0627\u0633\u062a\u0631\u06cc\u0645<\/p>\n<p>\u0645\u062f\u06cc\u0631\u06cc\u062a \u0633\u0631\u0648\u0631 \u067e\u0634\u062a\u06cc\u0628\u0627\u0646\u06cc \u0648 \u0645\u0634\u0627\u0648\u0631\u0647 &#8211; \u062b\u0628\u062a \u062f\u0627\u0645\u0646\u0647<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Author:\u00a0Samuel Trommel, Security Expert WorldStream Joe Tammariello of Carnegie Mellon University (Pittsburgh) Software Engineering Institute (SEI) discovered a zero-day vulnerability in the Microsoft Windows Remote Desktop Protocol (RDP), CVE-2019-9510. This can bypass Windows security and allow attackers to gain access to an affected remote server system, which could allow client-side attackers to bypass the lock &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[],"class_list":["post-12804","post","type-post","status-publish","format-standard","hentry","category-27"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/12804","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=12804"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/12804\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=12804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=12804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=12804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}