Patch new Windows wormable vulnerabilities in Remote Desktop Services

Discussion in 'General Discussion' started by LDighera, Aug 15, 2019 at 2:48 PM.

  1. LDighera

    LDighera UDOOer

    Joined:
    Jan 13, 2014
    Messages:
    189
    Likes Received:
    30
    https://msrc-blog.microsoft.com/201...n-remote-desktop-services-cve-2019-1181-1182/

    Patch new wormable vulnerabilities in Remote Desktop Services (CVE-2019-1181/1182)
    MSRC / By Simon Pope / August 13, 2019 / Patch, RCE, vulnerability, Windows 10, Windows 7, Windows 8.1, Worm


    Today Microsoft released a set of fixes for Remote Desktop Services that include two critical Remote Code Execution (RCE) vulnerabilities, CVE-2019-1181 and CVE-2019-1182. Like the previously-fixed ‘BlueKeep’ vulnerability (CVE-2019-0708), these two vulnerabilities are also ‘wormable’, meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.

    The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions.

    Windows XP, Windows Server 2003, and Windows Server 2008 are not affected, nor is the Remote Desktop Protocol (RDP) itself affected.

    These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products. At this time, we have no evidence that these vulnerabilities were known to any third party.

    It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these, and downloads for these can be found in the Microsoft Security Update Guide. Customers who have automatic updates enabled are automatically protected by these fixes. 

    There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.

    Resources
    Links to downloads

    Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC)
    ==============================================================================
    https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/

    August 8, 2019
    Protect against BlueKeep
    • Detection and Response Team (DART)

    Worms are the cause of many cyber headaches. They can easily replicate themselves to spread malicious malware to other computers in your network. As the field responders providing Microsoft enterprise customers with onsite assistance to serious cybersecurity threats, our Detection and Response Team (DART) has seen quite a few worms. If you’ve met the DART Team, then you know your worms are our concern and that’s why we keep an eye out for BlueKeep.

    Protect against BlueKeep
    This summer, the DART team has been preparing for CVE-2019-0708, colloquially known as BlueKeep, and has some advice on how you can protect your network. The BlueKeep vulnerability is “wormable,” meaning it creates the risk of a large-scale outbreak due to its ability to replicate and propagate, similar to Conficker and WannaCry. Conficker has been widely estimated to have impacted 10- to 12-million computer systems worldwide. WannaCry was responsible for approximately $300 million in damages at just one global enterprise.

    To protect against BlueKeep, we strongly recommend you apply the Windows Update, which includes a patch for the vulnerability. If you use Remote Desktop in your environment, it’s very important to apply all the updates. If you have Remote Desktop Protocol (RDP) listening on the internet, we also strongly encourage you to move the RDP listener behind some type of second factor authentication, such as VPN, SSL Tunnel, or RDP gateway.

    You also want to enable Network Level Authentication (NLA), which is a mitigation to prevent un-authenticated access to the RDP tunnel. NLA forces users to authenticate before connecting to remote systems, which dramatically decreases the chance of success for RDP-based worms. The DART team highly recommends you enable NLA regardless of this patch, as it mitigates a whole slew of other attacks against RDP.

    If you’re already aware of the BlueKeep remediation methods, but are thinking about testing it before going live, we recommend that you deploy the patch. It’s important to note that the exploit code is now publicly and widely available to everyone, including malicious actors. By exploiting a vulnerable RDP system, attackers will also have access to all user credentials used on the RDP system.

    Why the urgency?
    Via open source telemetry, we see more than 400,000 endpoints lacking any form of network level authentication, which puts each of these systems potentially at risk from a worm-based weaponization of the BlueKeep vulnerability.

    The timeline between patch release and the appearance of a worm outbreak is difficult to predict and varies from case to case. As always, the DART team is ready for the worst-case scenario. We also want to help our customers be prepared, so we’re sharing a few previous worms and the timeline from patch to attack. Hopefully, this will encourage everyone to patch immediately.

    [​IMG]

    Learn more
    To learn more about DART, our engagements, and how they are delivered by experienced cybersecurity professionals who devote 100 percent of their time to providing cybersecurity solutions to customers worldwide, please contact your account executive. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

    This document is for informational purposes only and Microsoft makes no warranties, express or implied, in this blog.
    ==============================================================================

    https://kb.parallels.com/en/123661

    How do I enable Network Level Authentication?
    Open gpedit.msc applet.
    1. Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security.
    2. Enable Require use of specific security layer for remote (RDP) connections and select RDP as Security Layer.
    3. Enable Require user authentication for remote connections by using Network Level Authentication policy.
    4. Reboot Terminal server.
    ==============================================================================

    https://social.technet.microsoft.co...-for-remote-desktop-services-connections.aspx

    Configure Network Level Authentication for Remote Desktop Services Connections
    ...
     

Share This Page