Wormable Vulnerabilities in Microsoft RDS

Summary

Microsoft have released a set of security fixes for two new critical remote code execution (RCE) vulnerabilities affecting Remote Desktop Services (CVE-2019-1181 and CVE-2019-1182), which like the previously-fixed ‘BlueKeep’ vulnerability (CVE-2019-0708) are wormable.

This means that any malware that utilizes these vulnerabilities can propagate both within networks and to other networks such as the destructive Wannacry ransomware.

 

How it works

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target system’s Remote Desktop Service via RDP. As this vulnerability is pre-authentication, no user interaction is required and an unauthenticated attacker could execute arbitrary code on the target system.

Affected versions of Windows include:

  • Windows 7 SP1
  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows 8.1
  • Windows Server 2012 R2
  • All supported versions of Windows 10, including server versions

As for Windows XP, Windows Server 2003, and Windows Server 2008, these are not affected, nor is the Remote Desktop Protocol (RDP) itself affected.

 

Potential risk to business

If successful, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Once a device has been compromised, the worm capabilities could allow the malware to propagate and infect further vulnerable devices.

Since the introduction of the General Data Protection Regulation (GDPR) a data breach will not only cause embarrassment, brand image damage, loss of customer trust and financial theft, but also has the potential to lead to significant fines.

 

How to mitigate

Enabling Network Level Authentication (NLA) on systems would mitigate unauthenticated attacks, however, an attacker with valid credentials would be able to successfully authenticate and exploit the vulnerability.

It is recommended to apply the patch released by Microsoft as soon as possible, or disable the service completely if it is no longer required.

It is also important that regular security patching occurs across your entire estate to ensure all software and hardware is protected against the latest vulnerabilities, and in turn, lowering the chance of being compromised.

Further information about Microsoft security releases and downloads can be found at https://portal.msrc.microsoft.com/en-us/security-guidance