Microsoft Security Update - Patch CVE-2019-0708


CVE-2019-0708 is a remote code execution vulnerability in the Remote Desktop/Terminal Services (RDP) component of Microsoft Windows. Successful exploitation of the vulnerability could yield arbitrary code execution in the Windows kernel giving the attacker full control similar to the MS17-010 SMB vulnerability.

The MSRC advisory states that this exploit has not been publicly disclosed nor has it been seen to be exploited in the wild. However, an MSRC blog post raises the speculation of this vulnerability could be used by a worm similar to the WannaCry malware. The blog fails to mention that WannaCry also used WMI and PsExec to spread internally within a network whereas the SMB vulnerability was used for initial access. 

The vulnerability is significant as indicated by Microsoft backporting the patch to out-of-support versions of Windows, most notably Windows XP.  Microsoft has raised the alarm of a “wormable” RDP previously which turned out to be a non-issue, MS-12-020 resulted in a denial-of-service condition and did not result in remote code execution.

Technical details:

This component is implemented by a driver named termdd.sys. A binary diff of the patch reveals an arbitrary write primitive [4] in kernel mode (ring-0) allowing an attacker to specify a memory location to be written to with limited control of what value can be written to that specified address. The attacker can control a 64-bit integer, `vVulnparam`, which is used in an address calculation. The attacker has limited control over the `vChannel` by opening a corresponding number of channels to the RDP service.

Affected Versions:

Windows XP, Windows 7, Server 2003, Server 2008, Server 2008 R2

Proof of Concepts (PoCs):

At the time of publication, there appears to be publicly available proof-of-concepts (PoCs)  that can negotiate with the RDP service to exercise the vulnerable code path but are unable to gain arbitrary code execution, at worst they can corrupt kernel memory which results in a “bug check”, colloquially known as the Blue Screen of Death (BSoD). A variety of security researchers from reputable firms have published screenshots and video of PoCs that demonstrate the bug check condition.

Caution: There are a number of fake PoCs circulating which are copied from the MS12-020 vulnerability that will drop malware and others less malicious that, display Rick Astley’s “Never Gonna Give You Up”, or other mischievous pranks.


  1. Patch all vulnerable systems immediately – Patch available for supported and unsupported (Windows XP, Server 2003)
  2. Disable Remote Desktop Services (at least until the vulnerability is patched)
  3. Block TCP/3389 (and UDP/3389) at border firewalls to prevent externally launched exploits
  4. Enable Network Level Authentication (NLA) to require authenticated connections to the RDP service. The system will still be vulnerable though an attacker must have valid login credentials.