Computer Emergency Response Team KZ-CERT reports a fixed vulnerability of the Remote Desktop Protocol (RDP) protocol present on Microsoft Windows workstations and servers !!!
A study of this problem revealed 1219 IP addresses with a vulnerable RDP protocol in the Kazakhstani segment of the Internet.
The remote code execution vulnerability exists in Remote Desktop Services, previously called Terminal Services. An unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and does not require user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. As a result, it gets the opportunity to install programs, view, change or delete data, create new accounts with full user rights.
Recommendations for elimination.
In all cases, it is recommended to urgently install updates for this vulnerability and take the following protection measures:
1. Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2
Enabled network-level authentication will block the use of this vulnerability by unauthenticated attackers. With NLA enabled, before taking advantage of the vulnerability, an attacker must first authenticate with Remote Desktop Services using a valid account in the target system,
2. Block TCP port 3389 on the enterprise perimeter firewall.
TCP port 3389 is used to establish a connection with a vulnerable component. Blocking this port on a network perimeter firewall will help protect systems behind this firewall from attempting to exploit this vulnerability.
Tel .: +7 (7172) 55-99-99