Remote Desktop Services Remote Code Execution Vulnerability

 

Recently we have been aware of the Vulnerability in Windows system and  we are keeping a close watch on the recently disclosed Remote Code Execution(RCE) vulnerabilities by Microsoft. The two reported vulnerabilities are also marked ‘wormable’ like the ‘BlueKeep’ vulnerability (CVE-2019-0708), meaning that any future malware could propagate from one vulnerable server to another vulnerable one without user interaction by exploiting these.

As per Microsoft, they discovered these vulnerabilities during the hardening of Remote Desktop Services as part of their continual security strengthening process and that there is no evidence of these vulnerabilities being known to any third party as of now. 

The affected versions of Windows reported by Microsoft are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions.

 

Technical Overview

CVE-2019-1181/CVE-2019-1182

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.

 

Mitigation

The security updates issued by Microsoft On August 13, 2019, contains the patch to these vulnerabilities. The update address the flaws by "correcting how Remote Desktop Services handles connection requests." 

As these are wormable vulnerabilities posing high risks, we recommend patching the affected systems as soon as possible. Please do check the updates available for your windows servers and apply the security updates specifically post analyzing their impact on your setup as quickly as possible. You can also download patches specific to your Windows Server OS from Microsoft Security Update Guide

Patches have already been automatically applied for customers with automatic updates enabled on their Windows Servers.

The customers who cannot immediately patch their systems can opt for partial mitigation measure by enabling Network Level Authentication (NLA). With NLA enabled an attacker has to authenticate to Remote Desktop Services with a valid account on to the vulnerable server before the attacker could exploit the vulnerability. Hence unauthenticated attackers are blocked from exploiting this vulnerability. However, affected systems will still remain vulnerable to Remote Code Execution (RCE) exploitation as an attacker with valid credentials can successfully authenticate and exploit the vulnerability.

We at ProHosterz IT Solutions always encourage its customers to pursue the best practices of security to keep their systems updated, protected and patched against recognized vulnerabilities.

Official security advisories
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182

If you have any queries regarding the patching/updates on ProHosterz infrastructure, Kindly contact us.

Best regards, 
ProHosterz IT Solutions



Wednesday, August 21, 2019





« Nazad