Published on August 14th, 2019 📆 | 2717 Views ⚑0
BlueKeep II, III, IV and V – the latest wormable RDP holes in Microsoft Windows • DigitalMunition
Patch Tuesday Microsoft, Adobe, and SAP may have just ruined more than a few summer vacation plans, thanks to a massive and critical Patch Tuesday bundle of security fixes this month.
Microsoft still struggling to close RDP coding blunders
Among the 93 CVE-listed flaws patched this month are four particularly serious remote-code execution bugs in Remote Desktop Services that can be exploited by hackers to take control of vulnerable systems with nothing more than a specially crafted RDP packet. No username and password, or other authentication, is required: a miscreant simply has to be on the same network as a box running a vulnerable version of Remote Desktop Services, or reach it via the internet if it is public-facing, and fire a booby-trapped packet at the machine to commandeer it.
The vulnerabilities, each discovered by Microsoft’s in-house security team, are designated CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226.
Because the flaws do not require user interaction to exploit, they are considered to be wormable: a software nasty could exploit it to infect a machine and then go in search of more computer to hijack and continue spreading across the network or internet. Thus, it should be a top priority for admins to fix.
We checked and yup, it’s no longer 2001. And yet you can pwn a Windows box via Notepad.exe
As the Zero Day Initiative’s Dustin Childs just pointed out, the programming screw-ups were likely found amid a cleanup effort by Microsofties following the discovery and disclosure of the BlueKeep RDP vulnerability in Windows earlier this year. BlueKeep was also a pre-authentication, wormable remote-code execution hole in Redmond’s remote desktop server code.
“Clearly, the folks in Redmond thought similar bugs existed in RDP, and these four patches demonstrate that fact,” Childs noted. “These bugs also receive Microsoft’s highest exploitability ranking, meaning we could likely see multiple RDP exploits circulating in the near future.”
The four flaws are present, at least, in supported versions of Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2012, and Windows 10 including its server editions, we’re told. There are also no mitigations or workarounds, other than to turn off or firewall off RDP services on TCP port 3389, or install the patches.
It possible to use network-level authentication to thwart exploitation of CVE-2019-1181 and CVE-2019-1182 on Windows 7 and Server 2008.
More from Microsoft
A vulnerability in the Windows DHCP Client (CVE-2019-0736) is similarly considered wormable and is also advised to be among the first fixes administrators test and install.
Another particularly nasty vulnerability addressed this month was CVE-2019-1201, a remote code execution vulnerability in Microsoft Word that could not only be exploited with a document file, but also through a webpage or via the Outlook Preview Pane, making it very difficult to avoid.
As usual, browser-based RCE flaws made up the bulk of this month’s critical fixes. Microsoft patched a total of 16 CVE-listed remote code execution vulnerabilities that could be exploited over the web, either in scripts or fonts embedded in a webpage.
Hyper-V was on the receiving end of fixes for two RCE vulnerabilities (CVE-2019-0720 and CVE-2019-0965) that could allow an attacker on a guest VM to escape and execute commands on the host server.
A late inclusion to the August bundle was the fix for CVE-2019-0965, the Windows elevation of privilege flaw outlined by Project Zero researcher Tavis Ormandy.
Microsoft is also among the vendors to issue patches for the five HTTP/2 vulnerabilities disclosed today by Netflix. For Windows, the flaws are considered denial of service risks, as an exploit would cause the target system to freeze.
Adobe drops 119 CVEs in monster August patch-a-thon
As large as Microsoft’s bundle of fixes was this month, it was topped by Adobe, who managed to tip the scales at 119 CVE-listed vulnerabilities.
Most of those were for Reader and Acrobat, where 76 vulnerabilities were patched. Those bugs allowed remote code execution and information disclosure flaws, all of which could be exploited via the traditional corrupted PDF file.
Photoshop CC for Windows and macOS saw 34 vulnerabilities addressed this month. Of those, 22 could allow for remote code execution and the remaining 12 out of bounds memory reads.
The remaining patches were for Creative Cloud Desktop (4 flaws), and Experience Manager https://helpx.adobe.com/security/products/experience-manager/apsb19-42.html (one flaw), as well as patches for a DLL hijacking flaw present in Prelude, AfterEffects, Premier Pro, and Character Animator.
SAP looks to clean up a baker’s dozen vulnerabilities
Admins running SAP software will want to be sure they get fixes for the 13 CVE-listed flaws remedied by this month’s updates.
The most serious were for a remote code execution flaw in NetWeaver UDDI Server (CVE-2019-0351), code injection vulnerabilities in SAP Commerce Cloud (CVE-2019-0344, CVE-2019-0343,) and a server-side-request forgery in NetWeaver Application Server for Java (CVE-2019-0345). ®
MCubed – The ML, AI and Analytics conference from DigitalMunition.