Update Aug 13, 2019: Detect and Patch Windows Remote Desktop Vulnerabilities
This month’s Microsoft Patch Tuesday addresses 93 vulnerabilities with 29 of them labeled as Critical. Of the 29 Critical vulns, 10 are for scripting engines and browsers, 6 for Windows Graphics/Font Library, and 4 are for Office apps. In addition, Microsoft has patched 4 (!) Critical RCEs in Remote Desktop (plus 3 Important), 2 for Hyper-V, 2 in DHCP Client/Server, and one for LNK files. Adobe has also released a large number of patches covering multiple products.
Scripting Engine, Browser, Office, Graphics/Font, and LNK patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Remote Desktop Services (Seven Monkeys)
Microsoft has patched four different Critical vulnerabilities in Remote Desktop Services: CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1226. All of them can be exploited without authentication or user interaction. According to Microsoft, at least two of these (CVE-2019-1181 & CVE-2019-1182) can be considered “wormable” and equates them to BlueKeep. It is highly likely that at least one of these vulnerabilities will be quickly weaponized, and patching should be prioritized for all Windows systems.
Enabling NLA is listed as a workaround for the two “wormable” vulnerabilities, but the other two show no workarounds available. This could be updated at a later date, as they also do not list disabling RDP or blocking port 3389 as Mitigations/Workarounds, which are likely still valid methods. Also for the two “wormable” vulns, Microsoft notes that Windows 7 SP1 and Server 2008 SP1 are only vulnerable if RDP 8.0 or 8.1 is installed.
See dashboards to help you visualize your exposure:
Hyper-V Hypervisor Escape
Two remote code execution vulnerabilities (CVE-2019-0720 and CVE-2019-0965) are patched in Hyper-V and Hyper-V Network Switch that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for Hyper-V systems.
Windows DHCP Client / Server RCEs
The Windows DHCP Client is used across workstations and servers. Deployment of patches to cover CVE-2019-0736 should be prioritized for all Windows systems.
An RCE (CVE-2019-1213) was also patched in Windows 2008’s DHCP Server. It is ranked as Critical and can lead to Remote Code Execution. Any unauthenticated attacker who can send packets to a DHCP server can exploit this vulnerability. This patch should be prioritized for any Windows 2008 DHCP implementations.
Windows LNK files
Microsoft also patched an RCE (CVE-2019-1188) in Windows that involves the parsing of LNK files (shortcuts.) This vulnerability could allow an attacker to automatically run a malicious binary against a target. This type of vuln can be leveraged by worms to spread inside of a network through file shares. This vulnerability should be prioritized for all Workstations and Servers.
Adobe has fixed insecure DLL loading vulnerabilities in After Effects, Character Animator, Premiere Pro CC and Prelude CC. Multiple critical vulnerabilities were also patched in Experience Manager, Photoshop CC, and Creative Cloud Desktop, while Acrobat/Reader was patched for multiple Important vulnerabilities. Critical vulnerabilities should be prioritized on all devices, along with patching Acrobat/Reader on Workstations.