Vulnerable Operating Systems:<\/u><\/h2>\n\n- Windows 2003<\/li>\n
- Windows XP<\/li>\n
- Windows 7<\/li>\n
- Windows Server 2008<\/li>\n
- Windows Server 2008 R2<\/li>\n<\/ul>\n
Worms are viruses which primarily replicate on networks. A worm will typically execute itself automatically on a remote machine without any extra help from a user. If a virus\u2019 primary attack vector is via the network, then it should be classified as a worm.<\/p>\n
The Remote Desktop Protocol (RDP) enables connection between a client and endpoint, defining the data communicated between them in virtual channels. Virtual channels are bidirectional data pipes which enable the extension of RDP. Windows Server 2000 defined 32 Static Virtual Channels (SVCs) with RDP 5.1, but due to limitations on the number of channels further defined Dynamic Virtual Channels (DVCs), which are contained within a dedicated SVC. SVCs are created at the start of a session and remain until session termination, unlike DVCs which are created and torn down on demand.<\/p>\n
It\u2019s this 32 SVC binding which CVE-2019-0708 patch fixes within the _IcaBindVirtualChannels<\/em> and _IcaRebindVirtualChannels<\/em> functions in the RDP driver termdd.sys. As can been seen in figure 1, the RDP Connection Sequence connections are initiated and channels setup prior to Security Commencement, which enables CVE-2019-0708 to be wormable since it can self-propagate over the network once it discovers open port 3389.<\/p>\n <\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/05\/Screen-Shot-2019-05-21-at-2.02.33-PM.png\")
<\/p>\n
Worms are viruses which primarily replicate on networks. A worm will typically execute itself automatically on a remote machine without any extra help from a user. If a virus\u2019 primary attack vector is via the network, then it should be classified as a worm.<\/p>\n
The Remote Desktop Protocol (RDP) enables connection between a client and endpoint, defining the data communicated between them in virtual channels. Virtual channels are bidirectional data pipes which enable the extension of RDP. Windows Server 2000 defined 32 Static Virtual Channels (SVCs) with RDP 5.1, but due to limitations on the number of channels further defined Dynamic Virtual Channels (DVCs), which are contained within a dedicated SVC. SVCs are created at the start of a session and remain until session termination, unlike DVCs which are created and torn down on demand.<\/p>\n
It\u2019s this 32 SVC binding which CVE-2019-0708 patch fixes within the _IcaBindVirtualChannels<\/em> and _IcaRebindVirtualChannels<\/em> functions in the RDP driver termdd.sys. As can been seen in figure 1, the RDP Connection Sequence connections are initiated and channels setup prior to Security Commencement, which enables CVE-2019-0708 to be wormable since it can self-propagate over the network once it discovers open port 3389.<\/p>\n <\/p>\n<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/05\/Picture2.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/05\/Screen-Shot-2019-05-21-at-5.22.08-PM.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/05\/Picture4.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/05\/Screen-Shot-2019-05-21-at-5.22.19-PM.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/05\/Picture6.png\")
<\/p>\n