Microsoft has identified and patched several vulnerabilities in the Windows Remote Desktop Services (RDS) component -- formerly known as Terminal Services -- which is widely used in corporate environments to remotely manage Windows machines. Some of the vulnerabilities can be exploited without authentication to achieve remote code execution and full system compromise, making them highly dangerous for enterprise networks if left unfixed.
All the flaws have been discovered internally by Microsoft during hardening of the RDS component, so no public exploits are available at this time. However, Microsoft researcher Justin Campbell said on Twitter that his team “successfully built a full exploit chain using some of these, so it's likely someone else will as well.”
In a blog post, Simon Pope, director of incident response at Microsoft warned that two of the flaws, tracked as CVE-2019-1181 and CVE-2019-1182, are wormable. If malware makes its way inside a corporate network, it could exploit these flaws to propagate from computer to computer.
The two vulnerabilities affect Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2 and all supported versions of Windows 10. Since RDS is a system service, successful exploitation would provide attackers with the necessary privileges to install programs; read and delete data and create new accounts.
Microsoft also patched two other remote code execution vulnerabilities in RDS on Tuesday that are tracked as CVE-2019-1222 and CVE-2019-1226. These flaws only affect supported versions of Windows 10, Windows Server 2019 and Windows Server version 1803 and don’t require authentication to exploit.
The company also fixed an unauthenticated denial-of-service flaw (CVE-2019-1223) and two memory disclosure issues (CVE-2019-1224 and CVE-2019-1225), bringing the total number of RDS flaws fixed this Patch Tuesday to seven.
It started with BlueKeep
Microsoft’s deeper investigation of RDS and the newly identified issues come after a wormable RDS flaw was discovered and patched in May. Tracked as CVE-2019-0708 that vulnerability is known in the security community as BlueKeep and public exploits are available for it.
Last week, Microsoft’s Detection and Response Team (DART) issued a warning that BlueKeep exploitation is very likely. The team said at the time based on its telemetry that more than 400,000 endpoints lack network level authentication, which makes the problem much worse and could enable the easy spread of Remote Desktop Protocol (RDP) worms.
Network level authentication (NLA) is suggested by Microsoft as a possible mitigation for both BlueKeep and the newly patched RDS flaws because it forces attackers to authenticate before attempting an exploit. However, in practice, there are many scenarios where attackers can obtain legitimate credentials and bypass this protection, so deploying patches for these vulnerabilities as soon as possible is the best solution.
According to a new report by SecurityScorecard, around 800,000 machines with vulnerable RDS service were exposed directly to the internet when BlueKeep came out in May. The company has been rescanning those machines daily and found that the patching response has been slow, with around 1% being patched each day.
For machines that did get the BlueKeep patches, the majority were updated during the first 13 days after the announcement. This means that in most cases vulnerable machine owners either patched their systems within 13 days or not at all.
Some industries performed better than others, according to SecurityScorecard’s data. The financial services industry had the largest number of machines patched within a day of the fixes coming out. Many other financial organizations patched them by day 11. Overall, the financial services industry patched around 713 vulnerable machines per day.
Organizations from the manufacturing and hospitality industries patched around 3% of their machines per day, a significantly higher rate than average. However, these industries also had a much lower number of vulnerable machines exposed to the internet to begin with, which is indicative of good security practices and network architecture.
“A five- to 13-day response time is rather respectable. However, SecurityScorecard advises that Remote Desktop (RDP) should not be exposed on the internet,” the company wrote in its report. “Rather, it should be behind a firewall and/or VPN. Thus, the true fix for these machines is a combination of fixes: Upgrade to a more recent Windows version, patch the vulnerability, and prevent internet-wide access to these machines.”