DejaBlue Windows Remote Desktop Services RCE Vulnerabilities

Microsoft has released details of four remote code execution vulnerabilities, collectively referred to as DejaBlue, affecting Remote Desktop Services (RDS, formally Terminal Services) on their Windows and Windows Server operating systems.

Threat ID:: CC-3176
Category:
Threat Severity:: High
Threat Vector:
Published:: 14 August 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - Versions 7 SP1, 8.1 and 10 (all variants)
Microsoft Windows Server - Versions 2008 R2 SP1, 2012, 2012 R2, 2016 and 2019 (all variants)

Threat details

They claim that an unauthenticated remote user could exploit these vulnerabilities to gain control of affected systems.

The vulnerabilities occur as a result of RDS improperly handling user requests. An attacker could exploit these by sending specifically crafted request to an affected system. If successful, they could then execute arbitrary code on the system.

As these vulnerabilities occur pre-authentication, they can be>wormable' and could be used to create malware that is able to propagate without requiring user interaction.

Please note that Remote Desktop Protocol (RDP), the protocol used by RDS, is itself not impacted by these vulnerabilities.

For further information:

Remediation steps

Type	Step
	Users and administrators are encouraged to review the following Microsoft update advisories and apply the necessary updates: CVE-2019-1181: Remote Desktop Services Remote Code Execution Vulnerability CVE-2019-1182: Remote Desktop Services Remote Code Execution Vulnerability CVE-2019-1222: Remote Desktop Services Remote Code Execution Vulnerability CVE-2019-1226: Remote Desktop Services Remote Code Execution Vulnerability Organisations unable to fully remediate these vulnerabilities are encouraged to use the following additional mitigation guidance: Disabling Remote Desktop Services mitigates this vulnerability. Enabling Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 stops unauthenticated attackers from exploiting this vulnerability. If an attacker can authenticate to Remote Desktop Services then an exploit is still possible. Additionally, organisations can consider the following steps to help detect and prevent attacks using RDP: Only allow point-to-point connections from specific IP addresses where feasible. Ensure Transport Layer Security (TLS) is up-to-date. Log and monitor all RDP activity and investigate unusual behaviour. Consider only allowing RDP for authorised virtual private network (VPN) connections. Update 20 Aug 2019 Microsoft have released an update to address several functionality issues with the August 2019 Cumulative Update (which includes the DejaBlue patches). They have stated that this updates supersedes the cumulative update. Organisations experiencing issues applying the cumulative update are encouraged to review KB4512534 and contact their relevant IT suppliers.

Type

Step

Users and administrators are encouraged to review the following Microsoft update advisories and apply the necessary updates:

Organisations unable to fully remediate these vulnerabilities are encouraged to use the following additional mitigation guidance:

Disabling Remote Desktop Services mitigates this vulnerability.
Enabling Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 stops unauthenticated attackers from exploiting this vulnerability. If an attacker can authenticate to Remote Desktop Services then an exploit is still possible.

Additionally, organisations can consider the following steps to help detect and prevent attacks using RDP:

Only allow point-to-point connections from specific IP addresses where feasible.
Ensure Transport Layer Security (TLS) is up-to-date.
Log and monitor all RDP activity and investigate unusual behaviour.
Consider only allowing RDP for authorised virtual private network (VPN) connections.

Update 20 Aug 2019

Microsoft have released an update to address several functionality issues with the August 2019 Cumulative Update (which includes the DejaBlue patches). They have stated that this updates supersedes the cumulative update. Organisations experiencing issues applying the cumulative update are encouraged to review KB4512534 and contact their relevant IT suppliers.

CVE Vulnerabilities

Status

CVE-2019-1181

Last edited: 14 February 2020 2:56 pm