Oh, Microsoft, you do like to make things interesting for us users and administrators, don’t you! The latest vulnerability pair targets Remote Desktop Services (formerly known as Terminal Services), and it’s potentially significant. Compounding the issue is the fact that the patches that fix these vulnerabilities appear to break some common Line-Of-Business (LOB) applications. Also, the news made CNN, so cue the public panic.
Q & A format often helps us with these types of discussions, so off we go:
Q: Is this a Zero-Day (current and publicly active) exploit? Are environments being compromised as we speak?
A: Not as of this writing (Aug 16, 2019), no.
Q: Under what circumstances would my environment be vulnerable?
A: If your servers or workstations are unpatched, and you have RDS port(s) directly forwarded to internal servers or workstations, you are definitely vulnerable. If a public exploit is written, and you or one of your users downloads and runs malicious code within your private network, any unpatched systems running Remote Desktop Services (commonly most systems) would be vulnerable.
Q: What’s the worst-case scenario, should someone develop a public exploit?
A: Even one unpatched system in your environment could be leveraged to execute malicious code remotely, with the likely result being infection/encryption of all data accessible via network shares and user mapped drives. Any unpatched system might incur not only to data loss on that system, but may also be a vector for running additional malicious code on other systems laterally throughout your network.
Q: Is there more bad news?
A: The patches for these vulnerabilities are known to break several line-of-business applications, including Juris from Lexis-Nexis, and several applications by Blackbaud like The Raiser’s Edge, Financial Edge, and Education Edge. Microsoft as well as Lexis-Nexis and Blackbaud are currently working on fixes for this.
So far, only Lexis-Nexis and Blackbaud have reported problems with these patches. If you’re a client of ours and run this software, we’ll be reaching out to you shortly to discuss this if you haven’t heard from us already.
Q: So is there good news?
First: Again, as of this writing, there have been no confirmed reports of a public exploit.
Second: In the event this vulnerability turns into an active, publicly exploitable threat, only RDS servers whose connections are directly exposed to the internet are vulnerable. RDS and Citrix server farms hidden behind an RDS or Citrix gateway are not directly vulnerable to open, unchecked attack. Further, RDS servers with Network Location Awareness enabled (which is most of them!) also require a valid internal username and password before they can be compromised.
Suite3 has always urged our clients to adopt strong password policies and leverage MFA, especially for remote connections; now you know why! Long, complicated passwords that are changed often are far more resistant to brute-force password guessing attacks than short, simple passwords that never change. If you’re not confident about the strength of your password policies, reach out to Suite3 for assistance.
If you have a ManageSuite agreement with Suite3 that includes patch delivery, we’re delivering these patches to your servers and workstations automatically according to our regular schedules. Make sure you get those laptops turned on and plugged in so we can patch them for you!
If you’re running one of the affected applications above and we can’t patch your environment without impacting your business operations, we’ll be working with you to reduce your presented attack surface in other ways.
Suite3 continues to keep up with emerging security trends and vulnerabilities, because that’s Intelligent IT.