The critical vulnerability CVE-2019-0708 (aka BlueKeep) associated with the operation of Remote Desktop Services (RDS) and RDP was fixed by Microsoft in May this year. Now Microsoft has fixed two new vulnerabilities that are similar to BlueKeep.
With this bug, attackers can execute arbitrary code without authorization and distribute their malware like a worm, as, for example, with the well-known malware WannaCry and NotPetya.Microsoft experts have warned about the danger of BlueKeep twice, and experts from several information security companies, as well as independent researchers, quickly created a proof of concept exploits for the vulnerability.
The code for these exploits was not published in the public domain due to a high risk. However, since then, in the network has already appeared a presentation that describes in detail the exploitation of the vulnerability and the creation of an exploit for it, as well as the exploits have already been included in commercial products.
Read also: Vulnerabilities in more than 40 drivers affect all PCs running Windows 10
As part of the August “Tuesday updates” Microsoft experts corrected two new serious flaws in Windows Desktop Services, exposed by the company’s specialists.
New critical vulnerabilities are very similar to BlueKeep and received identifiers CVE-2019-1181 and CVE-2019-1182. As well as the original problem, new bugs are associated with the operation of Remote Desktop Services (RDS).
“These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products. At this time, we have no evidence that these vulnerabilities were known to any third party”, — reported in Microsoft.
It is reported that Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2 and all supported versions of Windows 10, including server versions, are vulnerable to new problems. Only users of Windows XP, Windows Server 2003, and Windows Server 2008 are safe.
As with the original BlueKeep issue, Micosoft recommends users and companies to install patches on their systems as soon as possible to prevent the operation of bugs. Although it is possible to reduce risks even without installing patches by enabling Network Level Authentication (NLA), the developers warn that this will not allow the malware to multiply like a worm, but will not prevent the execution of arbitrary code from the remote if the attacker has valid credentials on hand.
It is worth noting that two more similar problems, CVE-2019-1222 and CVE-2019-1226, were also fixed this month. They are also associated with Remote Desktop Services, but they only affect Windows 10 and server versions of the OS.
In total, over 90 different vulnerabilities were fixed in August as part of the “Tuesday updates” in August, 29 of which are rated as critical. They affect Microsoft Edge and Internet Explorer, Windows, Outlook, and Office browsers.
Corrections and mitigations
It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these.
There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.
