September 22, 2020

CVE-2019-1181/1182: Wormable vulnerabilities in Remote Desktop Services Alert

2 min read

Today Microsoft released a series of patches for Remote Desktop Services, including two key RCE vulnerabilities: CVE-2019-1181 and CVE-2019-1182 . Similar to the previously fixed “BlueKeep” vulnerability ( CVE-2019-0708 ), these two vulnerabilities can also achieve “wormable” effects, which means that malware can exploit these vulnerabilities and allow users to interact between vulnerable hosts without user interaction.

Windows zero day flaws

The affected versions of Windows include:

  • Windows 7 SP1
  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows 8.1
  • Windows Server 2012 R2
  • All versions of Windows 10 (including Server version)

Windows XP, Windows Server 2003, and Windows Server 2008 are not affected by this vulnerability, and the Remote Desktop Protocol (RDP) is not affected.

Microsoft has been paying attention to the security of its own products and has discovered these vulnerabilities as it continues to enhance the security of Remote Desktop Services. At present, we understand that there is no evidence that third parties have mastered these vulnerabilities.

Because worm-level vulnerabilities pose a serious security risk, you should fix the affected system as soon as possible. You can download the patch through the Microsoft Security Update Guide. If automatic updates are enabled, related products are also automatically patched.

These security risks can also be partially mitigated if the affected system has Network Level Authentication (NLA) enabled. When NLA is enabled, the affected system can defend against “wormable ” malware or advanced malware threats that exploit the vulnerability, because the NLA requires the operator to be authenticated before the vulnerability is triggered. However, if the attacker has valid credentials and can pass the authentication, then the affected system still has RCE risk.