4 nuove vulnerabilità relative a Remote Desktop Services
Il 13 agosto 2019 sono state rese note 4 nuove vulnerabilità a carico dei Remote Desktop Services che consentirebbero l’esecuzione di codice remoto.
Di seguito le vulnerabilità:
- CVE-2019-1181 | Remote Desktop Services Remote Code Execution Vulnerability
- CVE-2019-1182 | Remote Desktop Services Remote Code Execution Vulnerability
- CVE-2019-1222 | Remote Desktop Services Remote Code Execution Vulnerability
- CVE-2019-1226 | Remote Desktop Services Remote Code Execution Vulnerability
Tulle le vulnerabilità sono presenti in Windows Server 2008 R2/2012/2012 R2/2016/1803/2019/1903 e Windows 7/8.1/10 e Microsoft specifica quanto segue:
“This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.”
A riguardo si veda anche il post Patch new wormable vulnerabilities in Remote Desktop Services (CVE-2019-1181/1182) in cui viene indicato che le vulnerabilità CVE-2019-1181 e CVE-2019-1182 sarebbero di tipo warmable:
“Today Microsoft released a set of fixes for Remote Desktop Services that include two critical Remote Code Execution (RCE) vulnerabilities, CVE-2019-1181 and CVE-2019-1182. Like the previously-fixed ‘BlueKeep’ vulnerability (CVE-2019-0708), these two vulnerabilities are also ‘wormable’, meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.”
Sebbene l’abilitazione della Network Level Authentication (NLA) può essere un elemento mitigante in determinate situazioni, non impedisce determinati tipi di attacco quindi è necessario aggiornare tutti i sistemi affetti da tali vulnerabilità al più presto:
“There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.”
Oltre alle vulnerabilità relative agli RDS il 13 agosto Microsoft a rilasciato aggiornamenti per un totale di 93 vulnerabilità di cui 29 classificate come critiche e 64 classificate come importanti, a riguardo di veda l’articolo Microsoft August 2019 Patch Tuesday fixes 93 security bugs.