Microsoft warns of two new ‘wormable’ flaws in Windows Remote Desktop Services

August 13, 2019

Microsoft said today it patched two new major security flaws in the Windows Desktop Services package.

These two vulnerabilities are similar to the vulnerability known as BlueKeep (CVE-2019-0708). Microsoft patched BlueKeep in May and warned that attackers could abuse it to create “wormable” attacks that spread from one computer to another without user interaction.

Today, Microsoft said it patched two other BlueKeep-like security flaws, namely CVE-2019-1181 and CVE-2019-1182.

Just like BlueKeep, these two new bugs are wormable, and they also reside in the Windows Remote Desktop Services (RDS) package.

Unlike BlueKeep, these two cannot be exploited via the Remote Desktop Protocol (RDP), which is normally part of the bigger RDS package.

Affected versions

“The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions,” said Simon Pope, Director of Incident Response at the Microsoft Security Response Center (MSRC).

“Windows XP, Windows Server 2003, and Windows Server 2008 are not affected,” he said.

Pope said Microsoft found these vulnerabilities internally, while trying to harden and improve the security posture of the RDS package.

Remote Desktop Services (RDS) is the Windows component that allows a user to take control of a remote computer or virtual machine over a network connection. In some earlier Windows versions, RDS was known as Terminal Services.

A race to patch before attacks get underway

Just like it did with the BlueKeep flaw, Pope is advising users and companies to patch their systems as quickly as possible, to prevent exploitation.

Although BlueKeep was disclosed three months ago, no attacks have been detected at the time of writing, although BlueKeep exploits have been created and shared around.

Nevertheless, it’s better to be safe than sorry, so patching CVE-2019-1181 and CVE-2019-1182 should be at the top of every system administrator’s list this week and this Patch Tuesday.

“There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled,” Pope said. “The affected systems are mitigated against “wormable” malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered.

“However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate,” Pope said.