Microsoft RDS Remote Code Execution Vulnerabilities (CVE-2019-1181-1182)Threat Alert

Microsoft RDS Remote Code Execution Vulnerabilities (CVE-2019-1181-1182)Threat Alert

September 10, 2019 | Mina Hao
  1. Vulnerability Overview

On August 14, 2019, Beijing time, Microsoft released remote desktop (RDP) service fixes and patches for a series of vulnerabilities, including two critical remote code execution (RCE) vulnerabilities (CVE-2019-1181 and CVE-2019-1182). Similar to the BlueKeep vulnerability (CVE-2019-0708) previously fixed, vulnerabilities disclosed this time have characteristics of worms. In other words, attackers could exploit them to execute arbitrary code and spread worm viruses without needing user interactions.

Security updates released this time address these vulnerabilities by changing RDP’s method of handling connection requests. Users are advised to install appropriate patches as soon as possible to fix these vulnerabilities.

References:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181

  1. Scope of Impact

Affected Versions

  • Windows 7 SP1
  • Windows 8.1
  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows Server 2012 R2 and Windows 10 (including the server version)

Note: Under Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, only RDP 8.0 and RDP 8.1 are affected by these vulnerabilities.

Unaffected Versions

  • Windows Server 2003
  • Windows Server 2008
  • Windows XP
  1. Mitigation

    • Official Patches

Microsoft has released security updates for all affected products (including versions for which official support is no longer available) to fix these vulnerabilities. Users are advised to download and install them as soon as possible. There are three methods to obtain and install patches: intranet WSUS, Microsoft Update service available on Microsoft’s official website, and offline installation.

Note: To immediately start Windows Update, users can type wuauclt.exe /detectnow at the command line prompt.

Method 1: intranet WSUS

Applicability: This method is applicable to computers that are in the Active Directory domain where the WSUS server is available, or computers that have access to the intranet WSUS service.

The system automatically downloads new security patches in a regular manner and prompts users to install them. What users need to do is install these patches as prompted.

To make a patch take effect immediately, users can restart their computers as soon as the installation is complete.

Method 2: Microsoft Update service available on Microsoft’s official website

Applicability: This method is applicable to computers that can connect to the Internet, but have no access to the intranet WSUS service, including those with the intranet WSUS service disabled and those that have this service enabled, but have no access to the intranet.

If the intranet WSUS service is not enabled on computers, users should first enable it and then install patches and restart the computer as prompted.

If computers have the intranet WSUS service enabled, but do not connect to the intranet, users should do as follows: Choose Start > All Programs > Windows Update, click Check online for updates from Microsoft Update, and then do as prompted.

Method 3: offline installation

Download appropriate patch installation packages from the following links and double-click them to fix these vulnerabilities:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181

  • Workarounds

If users cannot install patches for the time being, they can adopt the following temporary measures to protect against these vulnerabilities:

  • If RDP is unnecessary, disable the service.
  • Configure the host firewall to block the TCP port (3389 by default) of RDP.
  • Enable network-level authentication (NLA). This is applicable to Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.