Microsoft is warning of a four new Windows vulnerabilities that are “wormable,” meaning they can be exploited to spread malware from one vulnerable computer to another without any user action in much the way the self-replicating WannaCry and NotPetya outbreaks did in 2017.
Similar to the so-called BlueKeep vulnerability Microsoft patched in May, the four bugs the company patched on Tuesday reside in Remote Desktop Services, which allow a user to take control of a remote computer or virtual machine over a network connection.
The bugs—indexed as CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226—make it possible to for unauthenticated attackers to execute malicious code by sending a specially crafted message when a protection known as Network Level Authentication is turned off, as many administrators in large organizations often do.
In such networks, it’s possible for exploits to ricochet from computer to computer. Leaving NLA on makes it harder for attacks to spread, since attackers must first have network credentials. The growing use of hacking tools such as Mimikatz, however, often enables attackers to surreptitiously obtain the needed credentials.
The race begins
Unlike BlueKeep—which affected only unsupported Windows versions or versions close to being unsupported—the bugs disclosed on Tuesday affect newer versions, specifically Windows 7, 8, and 10 and Server 2008, 2012, 2016, and 2019. That puts a much larger and potentially more sensitive fleet of computers at risk. Microsoft rated severity of the vulnerabilities as 9.7 and 9.8 out of a possible 10. The company also said the chances of in-the-wild exploitation are “more likely.”
“The vulnerabilities include the latest versions of Windows, not just older versions like in BlueKeep,” independent security researcher Kevin Beaumont told Ars. “There will be a race between organizations to patch systems before people reverse engineer the vulnerability from the patches to learn how to exploit them. My message would be: keep calm and patch.”
Windows machines that have automatic updating enabled should receive the patch within hours if they haven’t already. Installing Tuesday’s patches is the single most effective way to ensure computers and the networks they’re connected to are safe against worms that exploit the newly described vulnerabilities. For people or organizations that can’t update immediately, a good mitigation is to “enable NLA and leave it enabled for all external and internal systems,” Beaumont said in a blog post.
Enabling NLA doesn’t provide an absolute defense against attacks. As noted earlier, attackers who manage to obtain network credentials can still exploit the vulnerabilities to execute code of their choice. Still, turning on NLA significantly increases the requirement, since the exploits can completely bypass the authentication mechanism built into Remote Desktop Services itself.
Harden the RDS
According to a blog post published Tuesday by Director of Incident Response at the Microsoft Security Response Center Simon Pope, Microsoft researchers discovered the vulnerabilities on their own during a security review designed to harden the RDS. The exercise also led to Microsoft finding several less-severe vulnerabilities in RDS or the Remote Desktop Protocol that’s used to make RDS work. Pope said there’s no evidence any of the vulnerabilities were known to a third party.
The exercise came three months after the patching of BlueKeep, which was reported to Microsoft by the UK’s National Cyber Security Center. It’s possible—although Pope gave no indication—that the review came in response to that tip from the NCSC.
Some security researchers have speculated the original source of BlueKeep vulnerability report was the Government Communications Headquarters, the UK’s counterpart to the National Security Agency, as part of a vulnerabilities equity process that calls for bugs to be disclosed once their value to national security has diminished.
“So it’ll be ironic if the GCHQ VEP killed a RDP bug because it only affect [sic] old boxes but then MS audited all of RDP and killed one of their goto new hotness bugs,” Dave Aitel, a former NSA hacker who now heads security firm Immunity wrote on Twitter. “(Another good reason not to kill bugs).”
So it’ll be ironic if the GCHQ VEP killed a RDP bug because it only affect old boxes but then MS audited all of RDP and killed one of their goto new hotness bugs. (Another good reason not to kill bugs)
— daveaitel (@daveaitel) August 13, 2019
Aitel later acknowledged the theory “may be totally crazy! :)”
Whatever the case, the four wormable bugs disclosed Tuesday represent a threat not just to the Internet but to the health care, shipping, transportation, and other industries that rely on it. Administrators and engineers would do well to devote as much time as necessary to researching the vulnerabilities to ensure they aren’t exploited the way WannaCry and NotPetya were two years ago.