Microsoft’s Patch Tuesday bought some very bad news yesterday: more wormable RDP vulnerabilities, this time affecting Windows 10 users.
CVE-2019-1181 and -1182 are critical vulnerabilities in Remote Desktop Services (formerly Windows Terminal) that are wormable – similar to the BlueKeep vulnerability that people have already created exploits for. Wormable means that the exploit could, in theory, be used not only to break into one computer but also to spread itself onwards from there.
These new vulnerabilities, which Microsoft found while it was hardening RDS, can be exploited without user interaction by sending a specially-crafted remote desktop protocol (RDP) message to RDS. Once in, an attacker could install programs, change or delete data, create new accounts with full user rights, and more. CVE-2019-1222 and -1226 also address these flaws.
This batch of RDP vulnerabilities affect more Windows versions than BlueKeep, including: Windows 7 SP1; Windows 8.1; Windows 10; Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows 2019.
Microsoft said that these vulnerabilities haven’t yet been exploited in the wild, but urged customers to get ahead of the game by patching quickly:
It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these, and downloads for these can be found in the Microsoft Security Update Guide.
Computers with network level authentication (NLA) are partly protected, because crooks would need to authenticate before making a request, meaning that an attack couldn’t spread without human interaction on NLA-enabled systems.
Microsoft also fixed several other critical bugs in this Patch Tuesday, including a remote code execution (RCE) vulnerability in Internet Explorer’s scripting engine (CVE-2019-1133 and -1194). Attackers can exploit the bug via a specially crafted website or by sending a malicious ActiveX control marked “Safe for initialization” to any MS Office program that uses the Internet Explorer rendering engine.
Edge users didn’t get away scot-free either. There’s a similar bug (CVE-2019-1131, -1139 to -1141, and CVE-2019-1195 to -1197) in that product’s Chakra Scripting Engine. It allows for remote code execution in the current user context, and it’s exploitable via malicious websites.
Microsoft fixed a critical RCE bug in its Hyper-V hypervisor (CVE-2019-0720), which exploits poor input validation in the Hyper-V Network Switch and could be exploited by a malicious application running in the guest OS. There are also some related denial-of-service (DoS) bugs patched in Hyper-V.
CVE-2019-0736, -0965, and -1213 are RCE bugs in the Windows DHCP server that an attacker can exploit by sending malicious DHCP responses to a client, while CVE-2019-1188 is a flaw in the way that Windows processes files with a .LNK extension. LNK files point to executable files, but improper processing enables remote code execution. Attackers could exploit this bug via removable drives or remote shares.
Flaws in the way that Windows processes fonts (CVE-2019-1145, and -1149 to -1152) allow an attacker embedding maliciously crafted fonts in a website or file to execute code remotely on the system.
There were also some bugs in Microsoft Office. A flaw (CVE-2019-1199-1200) in the way that Outlook handles objects in memory means that an attacker could execute code remotely using a malicious file delivered via email or a website. Outlook’s preview pane is an attack vector there, as it is for a bug in Microsoft Word (CVE-2019-1201 and -1205) that allows for remote code execution from maliciously-crafted Word documents.
The final critical bug in the bunch was CVE-2019-1183, which is a flaw in the Windows VBScript Engine that allows malicious websites or ActiveX objects to trigger remote code execution on the target system. However, Microsoft is in the process of getting rid of browser-based VBScript and has now turned it off by default in Internet Explorer 11 in this round of updates.
Anonymous
nice document but you don’t tell us the KB that fixes the issue?????
Paul Ducklin
There are links throughout the article – the RDP-specific advisory is linked to above, but for completeness, here it is again:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182
Cyanohydrax
I have seen two BlueKeep-like attacks. Windows 2003 Server attacked on RDP 3389. They used RDP TCP 3389 but not to Remote Desktop or Terminal Serve to the console. They used it to directly place code on the server and execute it. It was difficult to control in the situation I had, but I used inoculation methods to stop it and prevent future attacks combined with wimpy firewall rules to restrict 3389 access. The second attack was Server 2012 VMs.
– cyanohydrax
Anonymous
it is not clear from the article whether windows server 2012 is affected or not.
Paul Ducklin
We do give a list of affected systems for the headline patch, namely the RDP one:
“Unlike BlueKeep, these new RDP vulnerabilities affect Windows 10, including server versions, as well as Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.”
So, yes, Server 2012 is affected.
For the numerous other bugs, please consult the Microsoft Security Guide (there is a link above to help you get started).
Anonymous
i am sorry Windows server 2012 R2 was clearly mentioned in your article. I meant if server 2016 is affected or not. I looked at the Microsoft catalog and it appears that the windows server 2016 is also impacted.
Thank you for taking time to clarify.
Paul Ducklin
Good point – I reworded that part of the article to make it clear that our list is not exhaustive, and to mention Server 2016 and Server 2019 explicitly asa well as 2012.
Thanks for the feedback.
Mathew Estrada
So what does one do if this vulnerability was exploited? Part of the exploitation I have experienced is that it prevents updates/patches. Security Accra’s has been altered and this I cannot even log in as an administrator for PS to make any significant changes.
Arggghhh….