By Selena Larson, K. Reid Wightman

Microsoft released a security advisory on May 14 for a vulnerability it says could enable a wormable malware attack similar to WannaCry. The WannaCry ransomware attack had disastrous effects and impacted businesses worldwide, including industrial control system (ICS) entities like automotive manufacturers, rail service providers, and some U.S. utilities. So, Microsoft’s warning greatly concerns ICS asset owners-operators.

The vulnerability lies in Remote Desktop Services used worldwide by many industrial environments to enable remote operators and engineers to access control system environments. Specifically, an adversary can attack a computer running this service allowing them to delete files, make changes to data, or create accounts with administrative privileges, or launch a malware attack.

ICS environments are at greater risk of attackers exploiting this vulnerability due to such environments operating older Windows systems and systems that receive less frequent updates. Engineering workstations (EWS), human machine interfaces (HMIs), data historians, and OPC servers all run Windows operating systems.

Windows 8 and 10, and Server 2012 and newer users are not affected by this vulnerability, meaning many consumers do not have to worry about patching. It is, however, a major issue for older Windows operating systems.

The flaw (CVE-2019-0708) affects Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows 2003 and Windows XP. Microsoft has issued updates for all affected systems including pushing patches for Windows 2003 and Windows XP which are no longer officially supported by Microsoft and generally do not receive new security updates.

There is a partial fix for some systems affected by the RDP vulnerability. Systems that have Network Level Authentication (NLA) enabled are protected against wormable malware that could exploit the vulnerability because NLA requires user credentials before the vulnerability can be triggered. NLA is a security mechanism for ensuring the people who want to remotely login to computers are authenticated before they can connect. However, if an attacker has stolen legitimate credentials, they can authenticate as a real user and bypass this protection.

Ordinarily service permissions would play an important role in the outcome of exploitation of a memory corruption bug. Dragos initially reported that the vulnerability’s impact would depend upon the version of Windows affected. However, this is incorrect in this specific instance.

While Terminal Services / Remote Desktop Services run with different privileges depending upon which version of Windows is affected (SYSTEM privileges on Server 2003 / Windows XP, and Network Service privileges on Server 2008 / Server 2008 R2 / Windows 7), the bug itself is triggered by an unauthenticated request that is passed into a Windows driver, specifically to a device driver called termdd.sys.

The memory corruption thus happens inside of kernel memory, which can allow code to run with kernel privileges. Once code is executing with kernel privileges, there are several techniques to acquire SYSTEM-level privileges. Thus, the vulnerability can grant SYSTEM privileges to an attacker, regardless of the operating system in use.

Exploitation of the vulnerability has not yet been observed in the wild. However, Microsoft has a working proof of concept, and it is likely adversaries will incorporate this vulnerability into attacks soon.

In ICS, system reliability is crucial, and taking machines offline to receive patches means experiencing potential downtime and loss of production, and potentially, revenue. This balancing act often favors foregoing necessary security updates in order to keep operations up and running. But patches for some vulnerabilities such as CVE-2019-0708 or MS17-010 (patches for WannaCry) are vital to apply. Asset owners and operators should test Microsoft’s recently released patches on test devices and then patch production devices as soon as possible. This is especially important for DMZ Jump Box systems, which may have exposure to corporate networks and would be the initial ICS entry point for any future worm which uses this vulnerability.

As we explained in the Dragos 2018 year in review report, commodity malware and wormable ransomware causing ICS infections contributed to greater risk within the ICS space last year, and this is likely to continue throughout 2019.

Full reports on this vulnerability and all threats, vulnerabilities, cyber events, and adversaries related to ICS are available to Dragos WorldView Threat Intelligence customers.

Correction: This post has been updated to reflect the memory corruption happens in the kernel and Windows versioning does not matter to exploit the vulnerability. Dragos regrets the error and thanks researchers within the community for noting the SYSTEM privilege details.