The Claroty Blog

Two Years After WannaCry, Another Potential Worm Lurks

| Amir Preminger, VP Research

An already busy week in vulnerability reporting just got busier. Yesterday, Microsoft Corporation released a security advisory for a Remote Code Execution vulnerability (CVE-2019-0708) found in Remote Desktop Protocol (RDP) services (aka Terminal Services) on Windows machines. The vulnerability is flagged as “wormable” since it doesn't require any authentication or user interaction to enable code execution. In other words, any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer.

This capacity for rapid propagation forces us to think about the potential for this exploit to mimic the magnitude of the WannaCry worm which brought corporate and industrial operations to a grinding halt two years ago this month, resulting in nearly $10 billion in damages worldwide. While Microsoft has not yet observed an exploitation of this vulnerability, they have stated "it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware". They appear to be taking this threat quite seriously as they have taken the unusual step of releasing a patch for Windows 2003 and XP – systems that it stopped supporting some four years ago. This vulnerability is designated as “critically severe” with a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10.

Who Is at Risk?

Systems running the following Windows versions are potentially vulnerable: Windows 7, Windows Server 2008 R2, and Windows Server 2008, Windows 2003, and Windows XP.  Windows 8 and 10 systems are not affected by this vulnerability.

How Does It Work?

The vulnerability enables a Remote Code Execution pre-authentication state of Windows Remote Desktop Protocol, a service widely used in operational technology (OT) environments to grant remote users access to industrial control systems (ICS). It is common to have a jump server accessible from the IT network via RDP to access internal SCADA assets. This vulnerability can be exploited to breach the segmentation between external and internal networks.

In this scenario, attackers can perform malicious operations such as updating live production parameters or deleting/altering critical files and folders. Notably, critical infrastructure networks tend to use older versions of Windows’ operating systems (e.g. Windows 2003 and XP) and consequently apply less updates. As a result, servers running these operating systems such as engineering workstations (EWS), human-machine interfaces (HMIs), and open platform communication (OPC) servers can be vulnerable to this exploit.

Technical Analysis

Up to Windows 8, most of the RDP functionality was implemented in the kernel using drivers. CVE-2019-0708 is a Use-After-Free vulnerability in the virtual channel binding mechanism of the RDP implementation. This means that a reference (aka a dangling pointer) to an allocation is kept. Virtual channels are implemented over the basic RDP protocol – separate channels for keyboard input, display, clipboard and so on.

In one of these channels (T120), it is possible to bind it in such a manner that it is freed – while a dangling pointer of the virtual channel structure is left and used afterwards. It is therefore possible to reallocate the freed virtual channel structure and overwrite the function pointers it contains – allowing for an absolute call primitive (e.g., call a shellcode). As a result, exploiting this vulnerability allows an attacker to run code in the kernel.

Next Steps

If you are running any of the affected Windows versions, consult the Microsoft security advisory immediately.  The advisory contains details on the vulnerability from the Microsoft Security Response Center, mitigation and workaround steps, as well as links to the appropriate security updates to patch vulnerable systems. 

Subscribe to the Blog