Microsoft disclosed four remote code execution flaws in Remote Desktop Services that are similar to BlueKeep, as well as other vulnerabilities in RDP.
Microsoft’s remote desktop protocol is proving to be quite an attack surface as more critical flaws were disclosed this week.
In this month’s Patch Tuesday release, Microsoft fixed seven vulnerabilities in RDP and Microsoft’s Remote Desktop Services (RDS), including two wormable remote code execution flaws similar to BlueKeep. While BlueKeep affects older and unsupported versions of Windows, all seven vulnerabilities — discovered by Microsoft’s own vulnerability researchers — affect current, supported versions of the operating system, including Windows 7, 8 and 10.
The two most serious flaws among the new batch are RDS vulnerabilities CVE-2019-1181 and CVE-2019-1182, also referred to by some security researchers as BlueKeep II and BlueKeep III. The vulnerabilities affect all supported versions of Windows and can be exploited without any kind of user interaction or authentication; the wormable flaws can also spread to other systems without any interaction from users or threat actors.
“These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products,” Simon Pope, the director of incident response at Microsoft Security Response Center, wrote in a blog post. “At this time, we have no evidence that these vulnerabilities were known to any third party.”
Pope stressed that RDP itself is not affected by these two vulnerabilities, but attackers can exploit the flaws using the protocol.
In addition to patching immediately, Microsoft recommended enabling network level authentication (NLA) in Microsoft’s Remote Desktop Services, which will prevent exploitation of the two wormable flaws.
However, two other critical RDS vulnerabilities, CVE-2019-1222 and CVE-2019-1226, can’t be mitigated by enabling NLA. These flaws, which allow remote code execution, affect Windows 10 and Windows Server 2019.
The three remaining RDP vulnerabilities — rated important by Microsoft — include CVE-2019-1223, a denial of service flaw, and CVE-2019-1224 and CVE-2019-1225, which are memory disclosure flaws in Windows RDP servers.
The seven vulnerabilities follow the discovery of other similar threats to Microsoft’s remote desktop technologies. In addition to BlueKeep, Check Point Software Technologies recently found that a previously disclosed RDP flaw could be used for VM escapes in Microsoft’s Hyper-V.
Yaniv Balmas, head of research at Check Point, said his team has taken a closer look at RDP this year in light of both BlueKeep and the Hyper-V connection (Hyper-V Manager’s interface is built on RDP).
“RDP is pretty popular lately,” Balmas said. “It’s one of the most common protocols out there and it’s a fantastic attack surface.”
Marc Light, vice president of data and research at risk management vendor BitSight, agreed and said enterprises should take note of RDP vulnerabilities and patch them immediately. BitSight released new research at Black Hat 2019 that showed the rate of patching for BlueKeep-vulnerable Windows systems has slowed recently, despite repeated warnings from both Microsoft and U.S. government agencies.
Light noted that while several proof-of-concept exploits have been developed by security vendors and researchers in recent months, there has been no evidence of BlueKeep attacks in the wild. But organizations should still be concerned about impending attacks, he said.
“The overall risk from BlueKeep hasn’t changed much with the proof-of-concept exploits,” Light said. “But it all it takes is one working exploit to change things.”