August 2019 RDP update advisory CVE-2019-1181 CVE-2019-1182

As part of the August 2019 Security Updates, Microsoft released fixes for unauthenticated remote code execution vulnerabilities (CVE-2019-1181 and CVE-2019-1182) in Remote Desktop Services on Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016. Attackers might weaponize these vulnerabilities to launch various attacks, including disruptive attacks that cause affected systems to crash.

Customers should prioritize the deployment of critical updates to all affected platforms. If updating immediately isn’t an option, consider turning off Remote Desktop Services. Where Remote Desktop Services is required, turn on network-level authentication (NLA) for RDP to mitigate malicious client machines attacking servers.

Table of Contents

Key insights

  • Successful exploits of these vulnerabilities could be used to gain remote access to vulnerable systems.
  • Microsoft has not observed, at the time of publication, any attacks exploiting these vulnerabilities in the wild.
  • Customers with Remote Desktop Services enabled and network-level authentication turned off are at higher risk for attack. Machines in this configuration that are exposed to the internet are at the highest risk. Turning on network-level authentication for RDP significantly mitigates known remote vectors for exploitation for servers.
  • Customers evaluating the risks posed by these vulnerabilities should account for potential attacks within their networks. Past malware has used similar vulnerabilities to spread within enterprise environments after gaining a foothold within the network.

Mitigations

Apply these mitigations to reduce the impact of the vulnerabilities.

  • Machines running Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 R2, Windows 10, or Windows Server 2016 should apply fixes for CVE-2019-1181 and CVE-2019-1182. These fixes are available as part of the August 2019 Security Updates.
    • Machines running Windows Server 2008 are not vulnerable.
    • Customers that don't turn on Remote Desktop Services are not exposed to exploits for these vulnerabilities. Remote Desktop Services is off by default on affected platforms.
  • Enable network level authentication (NLA) for RDP. This will help mitigate attacks against machines running Remote Desktop Services by changing the requirement to exploit from unauthenticated access to authenticated access.
  • Reduce the risk to internet-facing machines with Remote Desktop Services enabled by placing them behind an authenticated gateway or a firewall.
  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

Detection details

Endpoint detection and response (EDR)

The following alert can indicate threat activity related to exploitation of these vulnerabilities. This alert might fire for other suspicious but unrelated network activity and is not monitored as part of this report.

  • Suspicious number of outbound network connections — this alert flags spikes in the number of outbound connections to the common RDP port (TCP/3389). These connections can indicate port scanning or worm-like behavior that might be abusing these vulnerabilities.

Advanced hunting

The following query finds processes with unexpected connections to the common RDP port (TCP/3389). It filters out common RDP programs and scanning tools. It also provides contextual information, such as the names and IP addresses of the machines involved in the connections.

You can use it to find processes that might be scanning for possible targets or exhibiting worm-like behavior.

// Find unusual processes with outbound connections to TCP port 3389 
NetworkCommunicationEvents
| where RemotePort == 3389
| where ActionType == "ConnectionSuccess" and Protocol == "Tcp"
| where InitiatingProcessFileName !in~ //Remove common RDP programs
("mstsc.exe","RTSApp.exe", "RTS2App.exe","RDCMan.exe","ws_TunnelService.exe",
"RSSensor.exe","RemoteDesktopManagerFree.exe","RemoteDesktopManager.exe",
"RemoteDesktopManager64.exe","mRemoteNG.exe","mRemote.exe","Terminals.exe",
"spiceworks-finder.exe","FSDiscovery.exe","FSAssessment.exe", "chrome.exe",
"microsodeedgecp.exe", "LTSVC.exe", "Hyper-RemoteDesktop.exe", "",
"RetinaEngine.exe", "Microsoft.Tri.Sensor.exe" )
and InitiatingProcessFolderPath !has "program files"
and InitiatingProcessFolderPath !has "winsxs"
and InitiatingProcessFolderPath !contains "windows\\sys"
| where RemoteIP !in("127.0.0.1", "::1")
| summarize ComputerNames = make_set(ComputerName),
ListofMachines = make_set(MachineId),
make_set(EventTime),
ConnectionCount = dcount(RemoteIP) by InitiatingProcessFileName,
InitiatingProcessSHA1, bin(EventTime, 1d)

References