Windows Remote Desktop Vulnerabilities (Seven Monkeys) – How to Detect and Patch

Qualys

Last updated on: December 15, 2022

In the August 2019 Patch Tuesday release, Microsoft disclosed 7 RDP Vulnerabilities, out of which 4 are labeled as critical and 3 as important. All the critical vulnerabilities exist in Remote Desktop Services – formerly known as Terminal Services – and do not require authentication or user interaction. To exploit the vulnerabilities, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

The cyber industry has named them as Seven Monkeys pertaining to seven CVEs released. Microsoft has released patches for these vulnerabilities and at least two of these (CVE-2019-1181 & CVE-2019-1182) can be considered “wormable” and equates them to BlueKeep. Of the three “Important” RDP vulnerabilities, one (CVE-2019-1223) is a DoS, and the other two (CVE-2019-1224 and CVE-2019-1225) disclose memory contents. Microsoft update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.

QID 91563 – Microsoft Windows Security Update for Remote Desktop Service August 2019 (Seven Monkeys)

Authenticated check:

Qualys has issued a special QID (91563) for Qualys Vulnerability Management that covers all 7 CVEs across all impacted Operating Systems. This QID is included in signature version VULNSIGS-2.4.675-4, and requires authenticated scanning or the Qualys Cloud Agent. Cloud Agents will automatically receive this new QID as part of manifest version 2.4.675-4.

You can search for this new QID in AssetView or within the VM Dashboard (Beta) by using the following QQL query:
vulnerabilities.vulnerability.qid:91563

Remediating with Qualys Patch Management:

Customers using Qualys Patch Management with Cloud Agent can search for any of the CVEs (such as cve:`CVE-2019-1181`) in the Patch Catalog, and click “Missing” in the side panel to locate and deploy patches to all affected Operating Systems.

For emergency patching, you can create an On-demand Job and target it at the “Cloud Agent” tag to cover all hosts. For continuous patching, a Daily Job can be created with a 24-hour “Patch Window” to ensure all hosts will continue to receive the required patches. This patch does require a reboot.

Targeting specific operating systems is not necessary. The Qualys Cloud Agent already knows which patch is needed for each host.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1222
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1226
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1223
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1224
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1225

Mitigation:

The following mitigation may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave Remote Desktop Services disabled:

Disable Remote Desktop Services if they are not required. If you no longer need these services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.

Workarounds:

The following workarounds may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave these workarounds in place:

  1. Enable Network Level Authentication (NLA). You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.
  2. Some of these vulnerabilities are not exploitable on Windows 7 and 2008 if you haven’t enabled RDP 8 or above. These are available by default in later versions of Windows.

Resources:

Show Comments (5)

Comments

Your email address will not be published. Required fields are marked *

  1. Hi,

    is QID 91563 checking the wrong file and file-version?
    After installing the patch, the mentioned file (%windir%\system32\rdpcorets.dll) is still the same. So this file wasn’t changed during patching.

    In my opinion you have to check %windir%\system32\rdpbase.dll. After installing the patch, the file-version was changed to 10.0.17134.950.

    System: Win10, x64, Version 1803.

    Please check your QID-checks for the file and the file version.

    Thanks and best wishes

  2. Question around the 7 Monkeys. It seems that the only way to find with a qualys scan is via an authenticated scan. Will qualys build a version, like Bluekeep, that these vulnerabilities can be found with an unauthenticated scan. Thanks in advance.

  3. Is there an ETA for the non-auth QID?

    Since I have been notified and found no less than 3 open resources online that show how “easy” it is to perform the exploit, a light pen-test QID would be great.

    Since this round of RDP RCE vuln’s are way too similar to BlueKeep, I don’t see why you couldn’t make a similar one to that. I don’t know the intricacies of how that QID (91541) worked but shouldn’t be too different.

  4. Good Day,

    I believe I found a logic error with the Dashboard.

    Panel: “Total: Seven Monkeys Vulns” –> Shows 116 Systems
    Panel: “Windows Server 2012 R2” –> Shows 608 Systems
    Panel: “Windows 2016” –> Shows 331 Systems

    Obviously these should add up somehow.

    All the OS Specific dashboards have the QQL under the “Asset” search, and I would say ‘should work’ However, in the above examples the numbers simply don’t add up.

    When I change the search for Windows 2012 to the following:

    Asset: vulnerabilities.vulnerability.qid:[45348]
    Vulnerability: vulnerabilities.vulnerability.qid:[91563]

    I get a total of 86 Assets

    I also changed the Windows 2016 search to the following:

    Asset: vulnerabilities.vulnerability.qid:[45347,45349]
    Vulnerability: vulnerabilities.vulnerability.qid:[91563]

    I get a total of 30 Assets

    Taking 86 + 30 = 116 (The total number I get in the Seven Monkey’s panel.

    Can someone help me understand the difference in the numbers? I think the above method is actually the correct way to do the panel, however, logically the numbers should be the same. What am I missing? Why were the panels built this way?

    Thank You!