Updated: May 23, 2019

On May 14, Microsoft announced a vulnerability in their Remote Desktop Protocol (RDP) component in many Windows operating systems. RDP is used extensively for remote access to University servers and desktop devices. This vulnerability carries a critical risk of being exploited. The impact of such an incident would potentially affect thousands of University devices. Information Security is considering the following response.   

Detect and identify all University RDP services, notify department faculty, staff and systems owners who can be identified to patch immediately, and monitor for effectiveness.   

Patching is the best remediation option and must be prioritized.  There is currently no mechanism to scan for vulnerable systems.  Information Security is actively monitoring for detection tools and will update procedures and share tools as they become available. 

Install a temporary network perimeter block of RDP traffic inbound to the University. 

This block was implemented on May 16 at 1:30 PM. The block should drastically reduce the threat of internal device compromise while other mitigating options are implemented. These are the recommended options for using RDP: 

  1. Use a U of T Virtual Private Network (VPN) service  

RDP services can run over a VPN service with the perimeter block in place. Information Security recommends that departmental VPN services be used to support RDP services. UTORvpn, the University’s institutional service can also be used.

To install, run UTORvpn and use RDP client, see:

http://vpn.utoronto.ca

  1. Use a U of T Remote Desktop Gateway (RDG) Service

RDG services are offered by departments. There is a central RDG service which can be used and requires an eToken. For detailed information, see:

Enterprise Active Directory – Remote Desktop Gateway

  1. Request an exception for patched/not-vulnerable systems

If RDP service is not available using the above workarounds and the system is patched or not vulnerable, contact Information Security for assistance in configuring a whitelist exception.  Due to technical limitations, this can only be done on a case-by-case basis and only on a limited number of hosts. Send email to security.response at utoronto.ca, providing your network and contact information.

Current Known Affected Versions 

  • Windows 7 for 32-bit Systems Service Pack 1 
  • Windows 7 for x64-based Systems Service Pack 1 
  • Windows Server 2008 for 32-bit Systems Service Pack 2 
  • Windows Server 2008 for 32-bit Systems Service Pack 2 
  • Windows Server 2008 for Itanium-Based Systems Service Pack 2 
  • Windows Server 2008 for x64-based Systems Service Pack 2 
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 
  • Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 
  • Windows XP SP3 x86 
  • Windows XP Professional x64 Edition SP2 
  • Windows XP Embedded SP3 x86 
  • Windows Server 2003 SP2 x86 
  • Windows Server 2003 x64 Edition SP2 

Recommended actions 

  • Install the latest updates for the vulnerable operating systems. 
  • Disable Remote Desktop Services if not required. If required, closely monitor network traffic and the logs of any vulnerable systems for suspicious activity. 
  • Enable Network Level Authentication (NLA) on systems running Windows 7, Windows Server 2008, and Windows Server 2008 R2. This is a partial mitigation which will prevent the spread of malware. 
  • Block TCP port 3389 at your perimeter, if possible.  

Contact

security.response at utoronto.ca

Please check back to this document for updated information.

References 

  • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 
  • https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/