Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Omer_Shliva
Employee
Employee

An update regarding CVE-2019-0708, a Remote Code Execution vulnerability in Remote Desktop Services

As part of the Microsoft May release, MS has announced on a Remote Code Execution vulnerability in Remote Desktop Services, CVE-2019-0708. At this time, there are no indications of the vulnerability exploited in the wild or the existence of a public PoC. Check Point researchers are investigating this and monitoring any relevant activity in the wild. Check Point recommendation is to monitor affected systems and deploy MS fix according to  MS Security Update Guide. Customers who do not need a Remote Desktop Protocol can block the protocol on the Gateway and EndPoint Firewalls.

5 Replies
Stuey
Explorer

Hi I believe there is now an exploit confirmed in the wild. Are you working on signatures for this? 

 

https://twitter.com/cBekrar/status/1128712967845961728

 

"We've confirmed exploitability of Windows Pre-Auth RDP bug (CVE-2019-0708) patched yesterday by Microsoft. Exploit works remotely, without authentication, and provides SYSTEM privileges on Windows Srv 2008, Win 7, Win 2003, XP. Enabling NLA mitigates the bug. Patch now or GFY!"

_Val_
Admin
Admin

As far as I understand, Microsoft did not share any details concerning this CVE, yet, other than it is patched.

Ryan_St__Germai
Advisor

Why don't you ask Kaspersky for some details in order to come up with an IPS sig.They seem to be offering information.Patching of course is the real answer along with not allowing RDP from the internet.

https://twitter.com/oct0xor/status/1130534732863803400
0 Kudos
RickLin
Advisor
Advisor

1.jpg2.jpg

_Val_
Admin
Admin

Correct, the CVE protection is now part of the latest IPS update.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events