News

WORMABLE VULNERABILITIES IN MICROSOFT RDS


27.09.2019 - ADVISORIES

Event Summary:


Microsoft have released a set of security fixes for two new critical remote code execution (RCE) vulnerabilities affecting Remote Desktop Services (CVE-2019-1181 and CVE-2019-1182), which like the previously-fixed ‘BlueKeep’ vulnerability (CVE-2019-0708) are wormable.

This means that any malware that utilizes these vulnerabilities can propagate both within networks and to other networks such as the destructive Wannacry ransomware.


How it Works:


To exploit this vulnerability, an attacker would need to send a specially crafted request to the target system’s Remote Desktop Service via RDP. As this vulnerability is pre-authentication, no user interaction is required and an unauthenticated attacker could execute arbitrary code on the target system.


Affected versions of Windows include:


  • Windows 7 SP1
  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows 8.1
  • Windows Server 2012 R2
  • All supported versions of Windows 10, including server versions


As for Windows XP, Windows Server 2003, and Windows Server 2008, these are not affected, nor is the Remote Desktop Protocol (RDP) itself affected.


Potential risk to business:


If successful, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Once a device has been compromised, the worm capabilities could allow the malware to propagate and infect further vulnerable devices.


Since the introduction of the General Data Protection Regulation (GDPR) a data breach will not only cause embarrassment, brand image damage, loss of customer trust and financial theft, but also has the potential to lead to significant fines.


How to mitigate:


Enabling Network Level Authentication (NLA) on systems would mitigate unauthenticated attacks, however, an attacker with valid credentials would be able to successfully authenticate and exploit the vulnerability.


It is recommended to apply the patch released by Microsoft as soon as possible, or disable the service completely if it is no longer required.


It is also important that regular security patching occurs across your entire estate to ensure all software and hardware is protected against the latest vulnerabilities, and in turn, lowering the chance of being compromised.


Further information about Microsoft security releases and downloads can be found at https://portal.msrc.microsoft.com/en-us/security-guidance






Addresses:

London Office

2nd Floor

31 Chertsey Street

Guildford

Surrey

GU1 4HD

Zepko

11th Floor Centre City Tower

5-7 Hill Street

Birmingham

B5 4UA