Our security partner Dell Secureworks have advised of a publicly available proof of concept exploit vulnerabilities (CVE-2019-1181, CVE-2019-1182) disclosed by Microsoft on August 13, 2019. These flaws in the Microsoft Remote Desktop Protocol (RDP) affect multiple Windows releases and were addressed in Microsoft’s August 2019 security updates. Dell Secureworks are unaware of available PoC exploits as of this publication.
Similar to RDP vulnerability CVE-2019-0708 (also known as BlueKeep https://www.empsn.org.uk/2019/06/04/rdp-vulnerability-cve-2019-0708/), Microsoft indicated that these vulnerabilities could be automatically exploited by a worm. A worm could enable the rapid spread of malware through an organization depending on the level of network segmentation and other security controls. This vulnerability can be exploited by unauthenticated attackers if Network Level Authentication (NLA) for RDP is not enabled. Systems with NLA enabled are also vulnerable to remote code execution if the attacker has valid credentials and can authenticate successfully.
Recommended actions
Members are strongly advised to review firewall rules regularly and to be aware of what you are exposing to the Internet, https://www.empsn.org.uk/knowledge-base/reviewing-firewall-rules/
Recommendations are that clients apply the security updates as soon as possible. Other actions that may mitigate this issue include disabling Remote Desktop Services if not required and enabling NLA on systems running Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and Windows 10 (including server versions). If possible, clients should consider blocking TCP port 3389 at the perimeter firewall: however, unpatched systems will still be vulnerable from within the school network. Clients are encouraged to evaluate if existing network segmentation and security controls are sufficient for limiting the impact of potential worm activity within their networks.
Questions
If you have any questions or concerns about this advisory, please get intouch with us – support@empsn.org.uk
References
https://msrc-blog.microsoft.com/2019/08/13/patch-new-wormable-vulnerabilities-in-remote-desktop-services-cve-2019-1181-1182/
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182