Update: Remote Desktop Services Remote Code Execution Vulnerability May 16, 2019, 08:20

Update: May 16, 2019, 08:18 PT

The UBC Cybersecurity team has been made aware that exploit developers have created successful proof of concept code which exploits the critical Remote Desktop Services (RDS) remote code execution vulnerability (CVE-2019-0708). Microsoft released patches for this vulnerability on May 14, 2019. The UBC Cybersecurity team highly recommends that all effected versions of RDS (Windows XP through Windows 7 or Windows Server 2003 through 2008 R2) are patched immediately and that RDS is disabled unless required for operational purposes.


May 15, 2019, 21:20 PT

Please be advised: the Cybersecurity team is aware of critical vulnerabilities that have been identified in the Microsoft Remote Desktop application. These vulnerabilities affect Windows systems with Remote Desktop Services enabled that are running Windows XP through Windows 7 or Windows Server 2003 through 2008 R2.

Please note, this does *not* apply to Windows 8 or Windows 10 systems, or Windows Server 2012 and greater.

Why action on this advisory is critical

This vulnerability allows for full remote code execution meaning systems exploited through this vulnerability could be easily configured to automatically exploit other, network adjacent systems.  For this reason, it is critical to ensure that systems are patched even if you believe they are not exposed.

This vulnerability is serious enough that Microsoft has released patches to address the issue even though the affected operating systems are out-of-support.

Action Required

If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows.

Patch immediately!

If you cannot install the patch, disable Remote Desktop Services. If you cannot disable Remote Desktop Services, ensure that off-campus access to Remote Desktop is blocked for any affected systems. UBC blocks Remote Desktop Services on port 3389 at our border to the internet, but clients running Remote Desktop Services on non-standard ports may still be vulnerable.

If you can do neither, contact security@ubc.ca to discuss mitigation options.

References: