Levi, Ray & Shoup, Inc.

Another Patch Tuesday, another critical RDS vulnerability

8/22/2019 by Jordan Shifflett

By Jordan Shifflett

Microsoft's August patch Tuesday revealed more worrisome vulnerabilities for many Windows users.

The patches released on August 13 included 93 CVEs, 29 of which have critical severity. Within the 29 critical are four new vulnerabilities in Remote Desktop Services (RDS) which allow remote code execution (RCE), two of which are wormable (CVE-2019-1181, CVE-2019-1182).

A wormable vulnerability can be used as a method of entry for worms, which are malware that spreads to other vulnerable computers without any human interaction.

These two wormable RDS vulnerabilities are similar to BlueKeep (CVE-2019-0708), a remote desktop services vulnerability for which Microsoft released patches a few months ago. Both BlueKeep and the new RDS vulnerabilities can be exploited without any user authentication, only needing to send specially crafted packets of data to allow for remote code execution.

Worms, or self-propagating malware, typically include a transport mechanism, code that will allow the malware to scan for other computers that are susceptible to a particular vulnerability and then automatically exploit those machines. This is the fear with vulnerabilities such as CVE-2019-1181, CVE-2019-1182 and BlueKeep. These vulnerabilities could be used as a way in for these types of attacks and at least one of these are likely to be quickly weaponized.

Self-propagating exploits could be used to spread another ransomware outbreak such as WannaCry, a worldwide malware epidemic that targeted older windows systems through the EternalBlue exploit.

The vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services, which likely became a serious focus after BlueKeep. Microsoft stated they have no reason to believe that a third party would have known about these vulnerabilities prior to the release of patches. Vulnerable Windows versions include Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, Windows Server 2016 and Windows Server 2019.

Windows XP, Windows Server 2003 and Windows Server 2008 are not affected.

CVE-2019-1181 and CVE-2019-1182 are of critical severity and should be remediated as soon as possible. Customers who have automatic updates enabled will automatically be protected by these patches. By default, Remote Desktop Services is disabled on Windows 10 and updates will be applied automatically. This threat is much more likely for enterprises that use RDS for various purposes. This is the fourth critical Remote Desktop Services patch fix Microsoft has had to release this year.

If you have any questions, please use the form below to contact LRS IT Solutions Security Team.

About the author

Jordan Shifflett is an Information Security Specialist with LRS IT Solutions. Jordan recently joined our security team after receiving a Bachelor of Science in Information Assurance and Security from Illinois State University.