Microsoft RDP Remote Code Execution

Microsoft RDP Remote Code Execution


Overview

Microsoft released a set of fixes for Remote Desktop Services that include two critical Remote Code Execution (RCE) vulnerabilities. Remote Desktop Protocol (RDP) provides a user with a graphical interface to connect to a remote computer over a network connection.

Successful exploitation of this vulnerability could allow an attacker to run malicious commands on a vulnerable server. Like the previously-fixed ‘BlueKeep’ vulnerability (CVE-2019-0708), these two vulnerabilities are also ‘wormable’, meaning that any future malware that exploits these vulnerabilities could propagate from vulnerable computer to vulnerable computer without user interaction.

Threat Intelligence

At this time, the Masergy Threat Intelligence Team is not aware of any in-the-wild exploitation or public proof-of-concept exploits. We will continue to monitor the situation as it develops. We assess that it is highly likely that actors will pursue the development of exploits for this vulnerability.

Recommendations

We recommend the following actions be taken:

  • Immediately apply available security patches on affected systems, after appropriate testing. If you are unable to update, use Microsoft’s provided guidance for mitigating workarounds in their advisories.
  • Disable Remote Desktop Services if they are not required.
  • If possible, ensure externally accessible Remote Desktop Services are under additional protective measures such as a VPN.

Patches

Microsoft has made patches available for download; for more information see Microsoft’s advisories.

References

Vulnerabilities

CVE-2019-1181
  • remote code execution vulnerability in Remote Desktop Services
CVE-2019-1182
  • remote code execution vulnerability in Remote Desktop Services

Systems Affected

  • Windows 7 SP1
  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows 8.1
  • Windows Server 2012 R2
  • All supported versions of Windows 10, including server versions