Vulnerabilities in Microsoft Remote Desktop app exploited in data breaches
Alert2/2019
Several critical vulnerabilities have been discovered in Remote Desktop Services (RDS, Remote Desktop app) in the Microsoft Windows operating system. These 'wormable' vulnerabilities can be exploited by malware to propagate itself from one vulnerable computer to another automatically. The NCSC-FI has received reports about these vulnerabilities being exploited both in Finland and abroad. There are software updates addressing the vulnerabilities and it is critical to install these updates immediately.
Microsoft has released a set of security updates for RDS. The first software update was released already in May in connection with operating system updates. At that time, the vulnerability patched in RDS was called BlueKeep. Two new critical vulnerabilities in RDS were patched in connection with Microsoft security updates in August.
When preparing this alert (14 August 2019), there were around 4,500 vulnerable systems open to the internet in Finland. Scanning in preparation for actual vulnerability exploits had increased considerably.
An easy-to-use Metasploit module for penetration testing of systems vulnerable to BlueKeep was published on September 6th, 2019. It is expected that number of exploit attempts will rise considerably.
Target group of the alert
- Windows server administrators
- Organisations using RDS
Possible solutions and restrictive measures
- Install software updates
- Disable RDS
- Enable Network Level Authentication (NLA)
- Allow connections from certain sources only
More Information
Target
- Servers and server applications
- Workstations and end-user applications
Access vector
- Remote
- No user interaction required
- No authentication required
Effects
- Execution of commands
- Security bypass
- Editing of information
- Obtaining of confidential information
Vulnerable software
- Windows 7 SP1
- Windows Server 2008 R2 SP1
- Windows Server 2012
- Windows 8.1
- Windows Server 2012 R2
- Windows 10
Links
- Haavoittuvuus 9/2019 Kriittinen BlueKeep-haavoittuvuus Microsoftin Remote Desktop Service (RDS) -toteutuksessa tietyissä Windowsin versioissa (in Finnish)
- Tietoturva nyt! 9.10.2019 (in Finnish) Etätyöpöytäpalvelun haavoittuvuuksia koskenut varoitus poistettiin
- https://msrc-blog.microsoft.com/2019/08/13/patch-new-wormable-vulnerabilities-in-remote-desktop-services-cve-2019-1181-1182/ (External link)
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181 (External link)
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182 (External link)
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1222 (External link)
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1226 (External link)
- https://www.cyber.gov.au/news/update-acsc-confirms-potential-exploitation-bluekeep-vulnerability (External link)
CVE
- CVE-2019-0708
- CVE-2019-1181
- CVE-2019-1182
- CVE-2019-1222
- CVE-2019-1226
Update history
Added information about available Metasploit module.
Alert was discontinued on 8 Oct 2019.