Windows Remote Desktop Vulnerabilities (Seven Monkeys) – How to Detect and Patch

In the August 2019 Patch Tuesday release, Microsoft disclosed 7 RDP Vulnerabilities, out of which 4 are labeled as critical and 3 as important. All the critical vulnerabilities exist in Remote Desktop Services – formerly known as Terminal Services – and do not require authentication or user interaction. To exploit the vulnerabilities, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

The cyber industry has named them as Seven Monkeys pertaining to seven CVEs released. Microsoft has released patches for these vulnerabilities and at least two of these (CVE-2019-1181 & CVE-2019-1182) can be considered “wormable” and equates them to BlueKeep. Of the three “Important” RDP vulnerabilities, one (CVE-2019-1223) is a DoS, and the other two (CVE-2019-1224 and CVE-2019-1225) disclose memory contents. Microsoft update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.

QID 91563– Microsoft Windows Security Update for Remote Desktop Service August 2019 (Seven Monkeys)

Authenticated check:

Qualys has issued a special QID (91563) for Qualys Vulnerability Management that covers all 7 CVEs across all impacted Operating Systems. This QID is included in signature version VULNSIGS-2.4.675-4, and requires authenticated scanning or the Qualys Cloud Agent. Cloud Agents will automatically receive this new QID as part of manifest version 2.4.675-4.

You can search for this new QID in AssetView or within the VM Dashboard (Beta) by using the following QQL query:
vulnerabilities.vulnerability.qid:91563

Remediating with Qualys Patch Management:

Customers using Qualys Patch Management with Cloud Agent can search for any of the CVEs (such as cve:`CVE-2019-1181`) in the Patch Catalog, and click “Missing” in the side panel to locate and deploy patches to all affected Operating Systems.

For emergency patching, you can create an On-demand Job and target it at the “Cloud Agent” tag to cover all hosts. For continuous patching, a Daily Job can be created with a 24-hour “Patch Window” to ensure all hosts will continue to receive the required patches. This patch does require a reboot.

Targeting specific operating systems is not necessary. The Qualys Cloud Agent already knows which patch is needed for each host.

Patch Links:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1222
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1226
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1223
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1224
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1225

Mitigation:

The following mitigation may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave Remote Desktop Services disabled:

Disable Remote Desktop Services if they are not required. If you no longer need these services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.

Workarounds:

The following workarounds may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave these workarounds in place:

  1. Enable Network Level Authentication (NLA). You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.
  2. Some of these vulnerabilities are not exploitable on Windows 7 and 2008 if you haven’t enabled RDP 8 or above. These are available by default in later versions of Windows.

Resources:

 

Leave a Reply

Your email address will not be published. Required fields are marked *