WorldStream Advises Users to Protect Windows Servers Against RDP Zero-Day Vulnerability

Kelvion New Plate Heat Exchanger

As a fast-growing Infrastructure-as-a-Service (IaaS) hosting provider, WorldStream has 15,000 dedicated servers scattered across its data centers including Linux and Windows-based servers. WorldStream Security Expert Samuel Trommel now urges Windows server administrators worldwide to setup a firewall with trusted sources whitelisted until Microsoft will hopefully come up with a proper patch next week for a just discovered zero-day leak in the Remote Desktop Protocol (RDP).

Author: Samuel Trommel, Security Expert WorldStream

Joe Tammariello of Carnegie Mellon University (Pittsburgh) Software Engineering Institute (SEI) discovered a zero-day vulnerability in the Microsoft Windows Remote Desktop Protocol (RDP), CVE-2019-9510. This can bypass Windows security and allow attackers to gain access to an affected remote server system, which could allow client-side attackers to bypass the lock screen on remote desktop (RD) sessions. The vulnerabilities in the RDP protocol start with Windows 10 as of version 1803 that was released in April 2018, and Windows Server 2019.

These researchers have shared their findings with Microsoft, so Microsoft is aware of the vulnerability, but unfortunately no appropriate countermeasures are in place yet to prevent these server systems from being compromised. It means that many internet-facing servers, including those deployed in WorldStream’s datacenters, are still vulnerable to cybersecurity risks such as ransomware. WorldStream hopes that Microsoft comes up with a proper patch soon, probably next Tuesday, June 11. Until then, our advise would be to:

  • Enable an IP Whitelist in the Windows Firewall with the trusted IP addresses that are allowed to gain access to the Windows-based server system
  • Another option would be to turn off RDP completely and manage the Windows-based servers through Remote Management Console (RMC) instead, if available

We would advise to only use the latter option when patching for the recent ‘BlueKeep’ RDP wormable vulnerability (CVE-2019-0708) did not work for whatever reason. BlueKeep was a more critical vulnerability than this one, but CVE-2019-9510 can still do quite some harm. To prevent the Windows servers from being exploited by BlueKeep, you just have to update to the latest Windows version which will then patch the vulnerability.

When Microsoft will bring out their patch for this CVE-2019-9510 vulnerability, hopefully next Tuesday, June 11, WorldStream would strongly advise to update the Windows server systems immediately.

CVE-2019-9510 Vulnerability Explained

How it works? Microsoft Windows RDP is supporting a feature that is called Network Level Authentication (NLA). Through this feature, the authentication element of a remote session is being moved from the RDP layer to the network layer. The use of this NLA feature is recommended as it would reduce the attack surface of servers exposed using the RDP protocol.

The handling of NLA-based RDP sessions has changed though, in a way that happens to cause unexpected behavior when it comes to session locking. When a network anomaly would trigger a temporary RDP disconnect, according to the researchers from Carnegie Mellon University, upon automatic reconnection the RDP session will be restored to an unlocked state, regardless of how the remote server system was left by an administrator.

IP Whitelisting as a Security Policy

For security purposes in general it would be wise to IP whitelist access to Remote Management Protocols like eg. RDP, SSH and VNC. Windows RDP access is not enabled by default. The setup can be arranged through the Server Manager where the RDP connection has to be enabled in the Windows Firewall.

This notification to warn Windows server users for vulnerability exploits like this fits our company focus on security details. WorldStream is truly focused on delivering highly secure hosting solutions indeed. This is illustrated by the proprietary global network we have built with a total capacity of currently 10Tbit/s. The maximum network utilization of 50 percent not only provides our customers with high-scalability options, it also allows them to easily mitigate the impact of distributed denial-of-service (DDoS) attacks.

On top of that WorldStream has in-house developed DDoS protection technology available that effectively stops all types of DDoS attacks. WorldStream’s DDoS shield actually secures every type of hosting environment including web servers, streaming media servers, game servers and name servers.

To find out more about WorldStream’s DDoS services, visit: https://www.worldstream.nl/en/ddos-shield/info.