Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/17/2019
01:49 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

When Older Windows Systems Won't Die

Microsoft's decision to patch unsupported machines for the critical CVE-2019-0708 flaw is a reminder that XP, 2003, and other older versions of Windows still run in some enterprises.

In a week when multiple vulnerabilities made headlines, a standout was CVE-2019-0708: a critical remote code execution (RCE) bug in Windows' Remote Desktop Services (RDS), formerly Terminal Services, affecting several in-support and out-of-support versions of Windows.

Microsoft reports that the RCE flaw, which has not yet been seen exploited in the wild, could be weaponized as a worm if exploited. The vulnerability is pre-authentication and requires no user interaction. Any future malware could propagate from vulnerable computer to vulnerable computer, similar to the way WannaCry spread to machines around the world in 2017.

How it works: once authenticated, attackers could connect to a target system via Remote Desktop Protocol (RDP) and send specially crafted requests. RDP is not vulnerable but it is part of the attack chain. If successful, the attacker could execute malicious code on the target system; install programs; view, edit, or delete data; or create new accounts with full user rights.

The fear of cybercriminals writing exploits for the bug prompted Microsoft to release security fixes and workarounds for older versions of Windows: Windows 2003 and XP in addition to still-supported Windows 7, Server 2008, and Server 2008 R2. In a blog post on the update, Simon Pope, director of the Microsoft Security Response Center (MSRC), called the out-of-band patch "unusual" and emphasized businesses to patch all affected systems as quickly as possible to prevent an attack.

But while a legacy patch may be rare for Microsoft, it's with good reason: many companies still run older versions of Windows due to the complications and challenges of system upgrades. And leaving those systems without a patch for the new, wormable RCE flaw would leave them exposed to possible such attacks.

After Microsoft disclosed the flaw, Alert Logic researchers scanned more than 4,000 customer sites to determine which were vulnerable. Of those, they found 61% of workloads run Windows 7 and Windows 2008, and 2.4% run Windows XP and 2003 – meaning nearly two-thirds of all businesses included are using older or unsupported versions of the operating system.

"One of the reasons that small and medium sized businesses were particularly affected is due to the fact that these organizations are more likely to run older systems, as their budgets and staffing constraints make it harder to upgrade," says Rohit Dhamankar, vice president of threat intelligence products at Alert Logic, adding that constant monitoring for them is "essential."

Kelly White, founder and CEO at RiskRecon, says it's "highly likely" cybercriminals are developing an exploit for this particular bug. Similar to the flaw exploited in the WannaCry campaign, CVE-2019-0708 has several traits to motivate attackers: exploitation yields remote system compromise, the service is commonly exposed online, it is remotely exploitable, and it doesn't require authentication to execute. A RiskRecon analysis of 10,000 companies showed 13% operate RDP on Internet-facing systems, putting them at higher risk for attack.

"Due to those factors, it's the perfect combination that motivates security researchers and exploit writers to write the exploit code for this, because a lot can be gained," he explains. "For the hackers, it's gold."

As we saw with WannaCry, thousands of legacy systems remain unpatched because they're running fragile software stacks nobody wants to touch, notes, Satya Gupta, cofounder and CTO at Virsec. But patching is always slower and more difficult than organizations want to admit because it's a disruptive process and can cause unintended problems. While businesses should act on Microsoft's alerts as soon as possible, there remain issues for "unpatchable" systems.

For Industrial Control Systems, Patching is Perilous

"Microsoft used a few key words in their advisory that should get everyone's attention: WannaCry, worm, pre-authentication, and remote code execution," says David Atch, vice president of security research at CyberX, a Boston-based IoT and ICS security company. In a recent analysis of traffic from more than 850 production OT networks, CyberX found 53% of websites were still running outdated versions of Windows, including Windows XP and 2000. Forty percent of industrial sites have at least one direct connection to the Internet.

Industrial firms will remember the damage caused by WannaCry, which "spread like wildfire" and disrupted production at Boeing, Honda, Nissan, Renault, FedEx, and Telefonica, he adds. CVE-2019-0708 gives attackers the ability to install backdoors, ransomware, and cryptomining malware on ICS/SCADA systems to disable safety controllers or shut down manufacturing lines. Many industrial companies rely on RDS to give remote operators and engineers access to control system environments. An attacker could target one machine to install code that could wreak havoc across the network.

"ICS environments are at greater risk of attackers exploiting this vulnerability due to such environments operating older Windows systems and systems that receive less frequent updates," explain Dragos intelligence analyst Selena Larson, and vulnerability analyst K. Reid Wightman, in a blog post on the bug. Engineering workstations, human machine interfaces, data historians, and OPC servers all run Windows, they point out.

Unlike most IT systems where "just patch" is frequent advice, Atch notes that patching ICS systems is a challenge because the process causes downtime and may being instabilities to production processes. "Upgrading to newer versions of Windows is also challenging because many of these systems are still running applications that were developed 10 or 15 years ago – especially in manufacturing environments – and upgrading them may cause applications to stop working, requiring access to developers that may no longer be available," he says.

Atch recommends a risk-based approach, and to prioritize patching for Internet-facing systems and corporate jumpbox systems that provide secure remote access from the IT network to the ICS network. He also advises network segmentation of the OT network, and isolating the OT network from IT network, to prevent the spread of malware in the event of an attack.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
5/17/2019 | 3:34:06 PM
On Legacy systems
In almost every network there are those few systems that somehow belong to somebody else, managed by nobody and cared for by nobody.  UPS shipping systems come to mind, often in an inventory area (unusually messy and dirt prone).  They are the property of a shipping something and have the OS under upgrade by that somebody.  Which is to say rarely are they patched, monitored or watched.  Ergo - perfect infection points and there are alot of these out there.  Second are true legacy systems for software that only works on XP or some such thing and rarely used.  We had one at Aon, a Prolinea with ancient Windows with a tape-drive (reel) that occasionally was used when data arrived from a client.  It was a true lone system.  These can be scattered around too and also, if networked, perfect infection points.  A hospital had a Windows for Workgroups V3.11 system working as a server.  TRUE  - my business continuity consultant saw it and it was on a cinderblock too as the closet it was in tended to flood.  GREAT infection point.  Don't laugh - these old dogs are out there.  (The hospital had an IBM mainframe covered by a blue tarp as there was a ceiling leak in the data center.) 
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...
CVE-2018-7844
PUBLISHED: 2019-05-22
A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading memory blocks from the controller over Modbus.
CVE-2018-7853
PUBLISHED: 2019-05-22
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading invalid physical memory blocks in the controller over Modbus
CVE-2018-7854
PUBLISHED: 2019-05-22
A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a denial of Service when sending invalid debug parameters to the controller over Modbus.