BLUEKEEP II, III, IV AND V REMOTE DESKTOP SERVICES AND DHCP ‘WORMABLE’ VULNERABILITIES
Executive Summary: Microsoft have discovered 4 new remote code execution vulnerabilities in their Remote Desktop Services, similar to the recently patched ‘BlueKeep’ RDP vulnerability, affecting a number of Windows versions (see Affected Products for more information)[1-4]. The original BlueKeep vulnerability was reported by ITC in a previous Threat Horizon: https://itcsecure.com/remote-desktop-services-wormable-vulnerability/
The security flaws, CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226, allow attackers to take control of any vulnerable Windows system using a specially crafted malicious RDP packet. The vulnerabilities do not require authentication for exploitation, all that is required is the attacker to be on the same network as a machine running a vulnerable version of Remote Desktop Services. If the device is public-facing then it can be exploited over the internet with a malicious packet.
As these RDP vulnerabilities do not require user interaction or authentication for exploitation they can easily propagate between devices, achieving remote code execution, and are thus deemed to be ‘wormable’. This means that an attacker, or an automated worm, can laterally move between devices on the same network exploiting the same vulnerability. It is therefore important that administrators patch affected devices as soon as possible.
Microsoft have stated that they have no evidence of any of these vulnerabilities being exploited in the wild .
Microsoft have additionally discovered a vulnerability in the Windows DHCP Client (CVE-2019-0736), occurring when an attacker sends specifically designed malicious DHCP responses to a client . An attacker who successfully exploits the vulnerability would be able to run arbitrary code on the client machine, giving them full access to that machine. Again, this vulnerability does not require authentication or user interaction, and is consequently considered wormable.
Detect: Any affected operating systems which have not already been updated will be affected by this vulnerability.
ITC customers who are subscribed to the ITC VI service can request a scan to identify affected operating systems.
Affected Products: The following operating systems are susceptible to this vulnerability:
- Windows 7 SP1
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1
- Windows 8.1
- Windows Server 2016
- All supported versions of Windows 10, including server versions.
Prevent: Microsoft have released security updates for all affected products. Downloads for supported operating systems, Windows 7, Windows Server 2008 and Windows Server 2008 R2, can be found in the Microsoft Security Update Guide.
Windows 7 SP1 and Windows Server 2008 R2 SP1 are only vulnerable to the RDP vulnerabilities if versions RDP 8.0 or RDP 8.1 are installed on the device. If your Windows 7 SP1 and Windows Server 2008 R2 SP1 devices have neither version of RDP installed on them then you are not affected by this vulnerability.
The issue can be mitigated by disabling Remote Desktop Services where they are not required. It is also possible to implement workarounds by enabling NLA on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2. Another workaround is done by blocking TCP port 3389 at the enterprise perimeter firewall. However, if an attacker has valid user credentials then they can pass NLA and achieve exploitation. It is advised to implement the relevant updates to affected systems as soon as possible instead of trying to implement workarounds, due to the serious consequences possible from any malware which exploits these issues.
Blocking Remote Desktop Protocol (RDP) access at the firewall as a remediation will not prevent the spread of infection. Blocking inbound RDP on the firewall unless absolutely necessary is the recommended best security practice regardless of this vulnerability, but ensuring that this is the case will safeguard against any devices being exploited externally if this does become exploited in the wild.
React: The appropriate security updates should be applied to all affected systems immediately.