Threat Response: Microsoft Remote Desktop Services RCE

14-08-2019

Last Tuesday, 13th of August, information regarding new vulnerabilities in Microsoft Remote Desktop Services (RDS) was published. This concerns vulnerabilities that allow an attacker to perform remote code execution (RCE) without user interaction on a system that offers RDS. The vulnerabilities in question were discovered by Microsoft during hardening of RDS.

This vulnerabilities were assigned the CVE numbers CVE-2019-1181, CVE-2019-1182, CVE-2019-1222 and CVE-2019-1226. Microsoft expresses that CVE-2019-1181 and CVE-2019-1182 concern the most critical RDS vulnerabilities, considering that these can be exploited on recent versions of Windows [1]

Besides theses RDS vulnerabilities, Microsoft also discovered other critical vulnerabilities in various applications and services, including DHCP Client, DHCP Server and Microsoft Office. For a complete overview of affected applications and services, see [2]

Description

The RDS vulnerabilities were discovered in a component of RDS that is responsible for handling incoming Remote Desktop Protocol (RDP) connections. This makes it possible for an attacker to gain access to the target system by sending specially crafted requests to the target, even before authentication has been performed.

If successfully exploited, these vulnerabilities allow an attacker to execute code remotely on the target system. No user interaction is required, and the attacker gains access to the target system with full user rights, allowing them to perform actions and make changes.

Exploitation of these vulnerabilities can be attempted by an attacker who is able to connect to the RDS service via the network. By sending a specially crafted request, the attacker can attempt to abuse the way in which the RDS service handles incoming RDP requests.

Microsoft considers these exploits to be ‘wormable’. This means that a given malware that is able to exploit these vulnerabilities, is able to spread itself from system to system automatically.

The following CVE details have been assigned to these vulnerabilities:

CVE-2019-1181; Remote Desktop Services Remote Code Execution Vulnerability
CVSS base score: 9.8 (critical)

CVE-2019-1182; Remote Desktop Services Remote Code Execution Vulnerability
CVSS base score: 9.8 (critical)

Risk

Microsoft has indicated that, at the time of writing, no indications of active exploiting attempts have been observed. The exact details of these vulnerabilities have not yet been disclosed.

Northwave assesses the severity of these vulnerabilities as high, considering the fact that recent versions of Windows are vulnerable. The potential impact is high, although no active exploits are currently known to Northwave. Therefore, we cannot estimate the likeliness of such exploit attempts.

We recommend verifying if vulnerable versions of Microsoft Windows are present within your organization. The list below contains the versions that are affected by these vulnerabilities:

  • Windows 7
  • Windows 8.1
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows 10 (all versions)

Older versions of the Microsoft Windows operating system, including Windows XP, Windows Server 2003 and Windows Server 2008, are not affected by these vulnerabilities.

Mitigation

Microsoft has released patches for the vulnerable versions of Microsoft Windows. This patch is included in the monthly security rollup of May 2019 and is available for download as a separate security patch. Systems that are running Windows 7 or newer will receive the patch automatically through Windows Update. [1] The affected versions of Windows include versions that are not actively supported anymore. However, Microsoft has released security updates for Windows Server 2003 and Windows XP as well under number KB4500331. [2]

Northwave advises to install the published updates as soon as possible, even when vulnerable systems are not directly connected to the internet.

Besides updating the software, Northwave recommends restricting direct access to Remote Desktop Services as much as possible using a firewall and disabling the RDS service on systems where the function is not used. This reduces the potential attack surface. For systems that require Remote Desktop Services to be enabled, it is strongly recommended, besides updating the software, to enable Network Level Authentication (NLA) [3]. This is a mitigating action that will enforce successful user authentication before a connection to the target system can be established.

If you need additional information you can call us by phone or send us an email.

Phone number: 030-3031244 (during business hours)
E-mail: soc@northwave.nl

Do you have an incident right now? Call our CERT number: 0800-2255 2747

Disclaimer applies, see below.

Sources

[1]: An overview by Microsoft describing the most critical RDS vulnerabilities: https://msrc-blog.microsoft.com/2019/08/13/patch-new-wormable-vulnerabilities-in-remote-desktop-services-cve-2019-1181-1182/

[2]: A list of all vulnerabilities discovered by Microsoft, including analysis of critical vulnerabilities: https://www.thezdi.com/blog/2019/8/13/the-august-2019-security-update-review

[3]: An overview of the available patches for Windows versions that are currently supported can be found on the following pages: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181 and https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182

[4]: For more information regarding enabling NLA, please refer to the following Microsoft support page: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713(v=ws.11)

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.