Last updated at Tue, 13 Aug 2019 20:47:40 GMT
Deja vu all over again
In a recent blog post we noted that attackers have been working on exploits for the “BlueKeep” RDP vulnerability for months and there has been a consistent, major uptick in opportunistic/malicious scanning for internet-facing RDP systems, including a few campaigns that have been cataloging RDP on every single TCP port.
Today, we’re providing important information on a new set of vulnerabilities in RDP that impact every modern version of Windows.
If you’re short on time, what you really need to know is that all internal and internet-facing systems should be patched as quickly as possible and, if you have not configured Windows event log monitoring of RDP access and authentication attempts, you should consider setting that up as soon as possible as well.
Since the scanning activity we’ve seen has been occurring on nearly every TCP port, you also cannot rely on port obfuscation to save you from an RDP attack.
An overview of the latest Microsoft RDP vulnerabilities
On Tuesday, Aug. 13, Microsoft released patches for four new remote code execution vulnerabilities—dubbed “DejaBlue” by researcher Michael Norris—in the Remote Desktop Services components of Windows desktop and server operating systems:
Note that these CVEs are separate from the previously patched BlueKeep vulnerability in that they were discovered by Microsoft vs. a third-party researcher, but they are all still remote, wormable weaknesses.
What versions of Microsoft are impacted?
The fixes for CVE-2019-1181 and CVE-2019-1182 patches a pre-authentication remote code execution weakness in RDP on virtually every modern version of Windows:
- Windows 10 Version 1607
- Windows 10 Version 1703
- Windows 10 Version 1709
- Windows 10 Version 1803
- Windows 10 Version 1809
- Windows 10 Version 1903
- Windows 7
- Windows 8.1
- Windows RT 8.1
- Windows Server 2008 R2
- Windows Server 2012 (incl. Server Core installation)
- Windows Server 2012 R2 (incl. Server Core installation)
- Windows Server 2016 (incl. Server Core installation)
- Windows Server 2019 (incl. Server Core installation)
- Windows Server, version 1803 (Server Core Installation)
However, this can be mitigated by enabling Network Level Authentication (NLA) and blocking direct access to remote desktop services (which runs on TCP port 3389 by default). Note that affected systems are still vulnerable to remote code execution exploitation if the attacker has valid credentials that can be used to successfully authenticate.
The fixes for CVE-2019-1222 and CVE-2019-1226 patch similar pre-authentication remote code execution weakness in RDP on a smaller list of Windows versions:
- Windows 10 Version 1803
- Windows 10 Version 1809
- Windows 10 Version 1903
- Windows Server 2019 (incl. Server Core installation)
- Windows Server, version 1803 (Server Core Installation)
- Windows Server, version 1903 (Server Core installation)
For these latter two, there are no known mitigations except for blocking access to RDP.
Remediation guidance for these RDP flaws
- Enable Network-Level Authentication (NLA) on all systems that expose RDP
- Disable internet-facing RDP or front-end it with a VPN
- Set up authentication and access Windows event logging for all RDP-enabled systems, then monitor these events for anomalous behavior.
- Don’t rely on port obfuscation to save your internet-facing RDP systems from compromise.
Rapid7 is monitoring the exploit development landscape along with the active exploitation attempts and will provide follow-up reports as events warrant. The next content release for InsightVM will contain authenticated coverage for all four of these new vulnerabilities.