The threat
On August 13th, 2019, Microsoft announced multiple vulnerabilities in Remote Desktop Services (RDP) [1]. If exploited, an unauthenticated threat actor could execute remote code on vulnerable systems. CVE-2019-1181 and CVE-2019-1182 are rated critical due to the wide variety of vulnerable versions, while CVE-2019-1222 and CVE-2019-1226 affect fewer systems and remain unclassified. Attacks exploiting these vulnerabilities have not been identified in the wild at this time.
Due to the wide use of RDP and high value of Remote Code Execution (RCE), it is probable that exploitation will occur in the near future. Users and administrators should apply the latest Microsoft security patches as soon as possible.
What we’re doing about it
- New local MVS Windows plugins identify these vulnerabilities
- The Threat Intelligence team is monitoring this topic for additional information
What you should do about it
- After performing a business impact review, apply the latest Microsoft security patches
- If RDP is not actively required, consider disabling the service or limiting access
- If RDP is required, enable Network-Level Authentication (NLA) for all RDP exposed systems
- Note: This precaution prevents unauthenticated attacks, but does not prevent RCE
Additional information
The major concern relating to CVE-2019-1181 and CVE-2019-1182 is wormability. If incorporated into existing malware types, the RDP vulnerabilities could be made to facilitate rapid malware spread. This risk may also be present in CVE-2019-1222 and CVE-2019-1226, but this remains unconfirmed at this time.
At the time of writing, Microsoft has disabled updates on machines running Symantec or Norton antivirus solutions, due to compatibility issues [2].
Affected Versions (CVE-2019-1181 and CVE-2019-1182):
- Windows 7 SP1
- Windows Server 2008 R2 SP1
- Windows Server 2012 (incl. Server Core installation)
- Windows Server 2012 R2
- Windows Server 2016 (incl. Server Core installation)
- Windows Server 2019 (incl. Server Core installation)
- Windows Server, version 1803 (Server Core Installation)
- Windows Server, version 1903 (Server Core installation)
- Windows RT 8.1
- Windows 8.1
- Windows 10 Version 1607
- Windows 10 Version 1703
- Windows 10 Version 1709
- Windows 10 Version 1803
- Windows 10 Version 1809
- Windows 10 Version 1903
Affected Versions (CVE-2019-1222 and CVE-2019-1226):
- Windows 10 Version 1803
- Windows 10 Version 1809
- Windows 10 Version 1903
- Windows Server 2019 (incl. Server Core installation)
- Windows Server, version 1803 (Server Core Installation)
- Windows Server, version 1903
References:
[1] https://msrc-blog.microsoft.com/2019/08/13/patch-new-wormable-vulnerabilities-in-remote-desktop-services-cve-2019-1181-1182/
[2] https://support.microsoft.com/en-us/help/4512486/windows-7-update-kb4512486
[3] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181
[4] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182
[5] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1222
[6] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1226
