This blog was authored by Brandon Stultz
Microsoft recently released fixes for a critical pre-authentication remote code execution vulnerability in Remote Desktop Protocol Servierces (RDP). Identified as CVE-2019-0708 in May’s Patch Tuesday, the vulnerability caught the attention of researchers and the media due to the fact that it was “wormable,” meaning an attack exploiting this vulnerability could easily spread from one machine to another.
Cisco Talos started reverse-engineering work immediately to determine how exactly RDP was vulnerable. Talos wrote and released coverage as soon as we were able to determine the vulnerability condition. SID 50137 for SNORT® correctly blocks exploitation of CVE-2019-0708 and scanning attempts that leverage this vulnerability.