Microsoft released patches for two new critical remote code execution (RCE) vulnerabilities found in the Remote Desktop Services (RDS) and affecting all in-support versions of Windows.
Users are urged to patch by the Microsoft Security Response Center (MSRC) to patch the newly found Windows security flaws as soon as possible due to the elevated risks associated with wormable vulnerabilities.
The two critical RCE flaws are tracked s CVE-2019-1181 and CVE-2019-1182, and just like “the previously-fixed ‘BlueKeep’ vulnerability (CVE-2019-0708), these two vulnerabilities are also ‘wormable’, meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction,” adds MSRC Director of Incident Response Simon Pope.
August 2019 Security Update includes fixes for wormable RCE vulnerabilities in Remote Desktop Services (RDS), affecting all in-support versions of Windows. These should be patched quickly. For more information, see https://t.co/VxstoaChTF
— Security Response (@msftsecresponse) August 13, 2019
“The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions,” also adds Pope.
The Remote Desktop Protocol (RDP) is not impacted by the newly patched security flaws, and Windows XP, Windows Server 2003, and Windows Server 2008 are also not affected.
According to the advisories published by Microsoft for the two security issues:
Attackers can exploit the two wormable vulnerabilities by sending specially crafted requests to the Remote Desktop Service of targeted unpatched Windows systems via RDP.
The security updates issued by Microsoft today address the flaws by “correcting how Remote Desktop Services handles connection requests.”
Microsoft released fixes today that include fixes for wormable RCE vulnerabilities Remote Desktop Services (RDS), affecting all in-support versions of Windows (i.e from Windows 7 through to Windows 10, including server versions). More details here. https://t.co/fxWeKVPape
— Simon Pope (@skjpope) August 13, 2019
“These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products. At this time, we have no evidence that these vulnerabilities were known to any third party,” further explained Pope.
As a partial mitigation measure, users who cannot immediately patch their systems can protect their systems from the wormable component of the flaws by enabling Network Level Authentication (NLA) “as NLA requires authentication before the vulnerability can be triggered.”
“However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate,” concludes Pope.
BlueKeep was patched three months ago
Microsoft patched a similarly critical RCE vulnerability found in the Remote Desktop Services (RDS) platform—later dubbed BlueKeep and tracked as CVE-2019-0708—on May 14, a security flaw that also allows threat actors to create malware which can propagate between Windows devices running vulnerable RDS installations.
Since then, a scanner module for discovering BlueKeep-vulnerable Windows computers was found by Intezer Labs researchers in a new Watchbog malware variant during late-July.
Security firm Immunity also announced that a fully working BlueKeep RCE exploit has been included within their CANVAS automated pentesting utility with the release of version 7.23, on July 23.
Windows users also received four separate warnings to patch their systems against BlueKeep, one from CISA that followed two others issued by Microsoft [1, 2], and one from the U.S. National Security Agency.