Service Updates

15/08/2019

RDP Vulnerability CVE-2019-1181 CVE-2019-1182

Our security partner Dell Secureworks have advised of a publicly available proof of concept exploit vulnerabilities (CVE-2019-1181, CVE-2019-1182) disclosed by Microsoft on August 13, 2019. These flaws in the Microsoft Remote Desktop Protocol (RDP) affect multiple Windows releases and were addressed in Microsoft’s August 2019 security updates. Dell Secureworks are unaware of available PoC exploits as of this publication.

Similar to RDP vulnerability CVE-2019-0708 (also known as BlueKeep https://www.empsn.org.uk/2019/06/04/rdp-vulnerability-cve-2019-0708/), Microsoft indicated that these vulnerabilities could be automatically exploited by a worm. A worm could enable the rapid spread of malware through an organization depending on the level of network segmentation and other security controls. This vulnerability can be exploited by unauthenticated attackers if Network Level Authentication (NLA) for RDP is not enabled. Systems with NLA enabled are also vulnerable to remote code execution if the attacker has valid credentials and can authenticate successfully.

Recommended actions

Members are strongly advised to review firewall rules regularly and to be aware of what you are exposing to the Internet, https://www.empsn.org.uk/knowledge-base/reviewing-firewall-rules/

Recommendations are that clients apply the security updates as soon as possible. Other actions that may mitigate this issue include disabling Remote Desktop Services if not required and enabling NLA on systems running Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and Windows 10 (including server versions). If possible, clients should consider blocking TCP port 3389 at the perimeter firewall: however, unpatched systems will still be vulnerable from within the school network. Clients are encouraged to evaluate if existing network segmentation and security controls are sufficient for limiting the impact of potential worm activity within their networks.

Questions

If you have any questions or concerns about this advisory, please get intouch with us – support@empsn.org.uk

References

https://msrc-blog.microsoft.com/2019/08/13/patch-new-wormable-vulnerabilities-in-remote-desktop-services-cve-2019-1181-1182/
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182

Related Posts

01/03/2024
P1 Incident Resolved – *16 Sites* Impacted across the emPSN Estate – INC02982536

Update 01/03/2024 06:45: Nasstar has resolved the P1 Issue and continues to contact individual sites to ensure services have been restored. Fault Resolution: Faulty fibre within Nasstar Core Network

Service Updates
19/04/2023
emPSN Core Internet Upgrade

In early May, we are upgrading our current Janet Internet Connections from 20Gb to 40Gb, doubling internet capacity allowing for future growth as our schools continue to demand higher bandwidth to meet the Department of… More »

Service Updates
21/02/2023
Planned Works – emPSN Firewall Replacement

What are we doing emPSN plan to replace their existing core firewalls on 04/04/2023 from 18:00. The planned works will take around 4 hours and over this period there will be disruption to all of… More »

Service Updates

Keeping Up To Date With Us Is Easy, Sign Up To Our Newsletter Today!

Stay in touch with emPSN, so that you get the latest e-safety advice and invites to our community events.

Our partners