August 2019 Patch Tuesday: Microsoft plugs critical wormable RDP holes
It’s that time of the month again: Microsoft, Adobe and Intel have pushed out fixes for a bucketload of security issues in their various software.
Microsoft’s security updates should take precedence, though, as they fix 29 critical vulnerabilities, including four in Remote Desktop Services, two of which – Microsoft warns – are wormable, just like BlueKeep before them.
Microsoft patches
Microsoft has plugged 93 CVEs and has released two advisories – one recommends a new set of safe default configurations for LDAP channel binding and LDAP signing on Active Directory Domain Controllers, the other makes it known that the company has mitigated an elevation of privilege vulnerability in Outlook Web Access, which could have allowed attackers to access a target’s email inbox.
The fixed vulnerabilities of note this time are:
CVE-2019-1181 and CVE-2019-1182 – two RDP unauthenticated remote code execution flaws that can be widely exploited through worms, without any user interaction. They affect Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions.
“These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products. At this time, we have no evidence that these vulnerabilities were known to any third party,” Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC), noted.
Aside from implementing the patches, users and admins can mitigate the danger of exploitation by enabling Network Level Authentication (NLA) on affected systems, making the flaws exploitable only if the attacker has valid credentials that can be used to successfully authenticate.
RDP also sports two other similarly critical RCEs (CVE-2019-1222 and CVE-2019-1226), as well as three less critical flaws (CVE-2019-1223, CVE-2019-1224 and CVE-2019-1225) that could lead to DoS and information disclosure. These affect only the newest Windows and Windows Server versions.
CVE-2019-1188 – a LNK remote code execution vulnerability – is similar the one used by Stuxnet. “An attacker could use this vulnerability to get code execution by having an affected system process a specially crafted .LNK file. This could be done by convincing a user to open a remote share, or – as has been seen in the past – placing the .LNK file on a USB drive and having the user open it. It’s a handy way to exploit an air-gapped system,” says Trend Micro ZDI’s Dustin Childs.
CVE-2019-0736, a RCE affecting the Windows DHCP client, is also theoretically wormable, as it doesn’t require authentication or user interaction to be exploited.
There’s also a critical Word flaw: CVE-2019-1201.
“An attacker could exploit this flaw by creating a specially crafted Microsoft Word file and convincing their victim to open the file on a vulnerable system, either by attaching it to a malicious email or hosting it on a malicious website,” Satnam Narang, senior research engineer at Tenable, pointed out.
“Microsoft notes that the Outlook Reading/Preview Pane is an attack vector, meaning the vulnerability could be exploited by merely viewing the email without opening an attachment. Successful exploitation would allow an attacker to perform actions on the system using the same permissions as the current user.”
Finally, CVE-2019-1162 is an old elevation of privilege bug affecting Advanced Local Procedure Call (ALPC). Recently discovered by Google Project Zero researcher Tavis Ormandy, it’s present in all Windows versions since Windows XP and can allow attackers to elevate their privilege on a previously compromised system.
Jimmy Graham, Senior Director of Product Management at Qualys, advises prioritizing Scripting Engine, Browser, Office, Graphics/Font, and LNK patches for workstation-type devices (i.e., any system that is used for email or to access the internet via a browser), including multi-user servers that are used as remote desktops for users.
He also singled out CVE-2019-0720 and CVE-2019-0965, two RCE flaws in Hyper-V and Hyper-V Network Switch, as a patching priority for those systems.
As a sidenote: users of Symantec or Norton security programs will have to wait a bit for the installation of the offered updates, as they still do not support SHA-2 certificates (and Microsoft’s updates are signed with those).
Adobe’s and Intel’s patches
Following a pretty light July Patch Tuesday, Adobe has dropped fixes for a whooping 119 CVEs in its various products.
The Acrobat and Reader updates fix many important flaws (none critical), but the fixed Photoshop CC flaws are mostly critical, so get patching.
Intel’s updates are available here. Take a look to see if you need any of them.