This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Omer_Shliva
Employee Alumnus
Employee Alumnus
‎2019-05-16 09:48 AM

An update regarding CVE-2019-0708, a Remote Code Execution vulnerability in Remote Desktop Services

As part of the Microsoft May release, MS has announced on a Remote Code Execution vulnerability in Remote Desktop Services, CVE-2019-0708. At this time, there are no indications of the vulnerability exploited in the wild or the existence of a public PoC. Check Point researchers are investigating this and monitoring any relevant activity in the wild. Check Point recommendation is to monitor affected systems and deploy MS fix according to  MS Security Update Guide. Customers who do not need a Remote Desktop Protocol can block the protocol on the Gateway and EndPoint Firewalls.

5 Replies
Stuey
Explorer
‎2019-05-17 01:28 AM

Hi I believe there is now an exploit confirmed in the wild. Are you working on signatures for this? 

 

https://twitter.com/cBekrar/status/1128712967845961728

 

"We've confirmed exploitability of Windows Pre-Auth RDP bug (CVE-2019-0708) patched yesterday by Microsoft. Exploit works remotely, without authentication, and provides SYSTEM privileges on Windows Srv 2008, Win 7, Win 2003, XP. Enabling NLA mitigates the bug. Patch now or GFY!"

_Val_
Admin
Admin
‎2019-05-17 03:02 AM
In response to Stuey

As far as I understand, Microsoft did not share any details concerning this CVE, yet, other than it is patched.

Ryan_St__Germai
Advisor
‎2019-05-20 11:24 AM

Why don't you ask Kaspersky for some details in order to come up with an IPS sig.They seem to be offering information.Patching of course is the real answer along with not allowing RDP from the internet.

https://twitter.com/oct0xor/status/1130534732863803400
0 Kudos
RickLin
Advisor
Advisor
‎2019-05-21 01:13 AM
In response to Ryan_St__Germai

1.jpg2.jpg

_Val_
Admin
Admin
‎2019-05-21 01:42 AM
In response to RickLin

Correct, the CVE protection is now part of the latest IPS update.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events