2019 is fast becoming the year of Microsoft wormable vulnerabilities. Two new flaws, CVE-2019-1181 and CVE-2019-1182 (not to be confused with CVE-2017-11882, another famous MS vulnerability which is currently used in multiple campaigns), were patched by the tech giant this week. Both share similar DNA with the infamous BlueKeep vulnerability. They were published alongside two other non-wormable remote code execution (RCE) flaws.
Reassuringly, Microsoft has written a blog which explains there’s “no evidence that these vulnerabilities were known to any third party”. Consequently, it’s unlikely that hackers were able to use them to their advantage.
What Are The New Microsoft Wormable Vulnerabilities?
Like Bluekeep, these new vulnerabilities could allow unauthenticated remote attackers to connect to a Windows server via remote desktop protocol. This can be achieved via a specially crafted packet and, if exploited, would allow the attacker to execute arbitrary code on the remote server without any need for any user interaction.
The vulnerabilities are wormable in the way that they could be used to gain initial access to an organization’s infrastructure. Once an attacker has found their way in, the vulnerabilities could also be used to enable lateral movement within networks. Which means that they are particularly dangerous in organizations with a large, fragmented attack surface: the wider the perimeter, the higher the potential for attack.
The products which are affected are MS Windows 7, Windows 8, Windows 10, Windows server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019.
Interestingly, Microsoft hasn’t patched its old OS versions. This differs to its approach to BlueKeep when it went to lengths to release fixes for all of its end-of-live versions. It’s possible that it’s because it knows that they aren’t affected but it’s safer to err on the side of caution and not make that assumption. Let this serve as a firm reminder about the importance of upgrading to a secure OS; something that should be at the forefront of the minds of organizations ahead of Microsoft’s termination of support for Windows 7 in January 2020.
Have the Vulnerabilities Been Exploited?
There are currently no known PoC exploits for the new Microsoft wormable vulnerabilities – nor have they been exploited in the wild. This doesn’t mean that exploits aren’t coming.
The development and publication of a viable exploit code for BlueKeep took quite a lot of time. But it has been developed and we have subsequently seen multiple threat actors trying to sell it. It’s surely only a matter of time until it’s used in a widescale attack.
How Skybox Can Help
If you have the ability to patch then you should do so right now. It’s possible that patches can’t be implemented immediately, or that patching presents a number of difficulties. Windows 7 and Windows 2008 R2 are still widely used, especially within operational technology (OT) environments which are notoriously difficult to patch. In these instances Skybox will also suggest possible mitigation strategies, often unique to each environment, to protect exposed assets.
Understand asset exposure
Understanding which assets are exposed should be a priority. Skybox’s attack simulations analyze network paths to highlight vulnerable assets exposed to potential threat origins. Exposure is considered alongside the importance of the asset to help develop informed, proactive and effective remediation strategies.
Skybox provides a flexible and comprehensive risk scoring method in Skybox® Vulnerability Control that takes into consideration a broad range of risk factors, including asset importance, CVSS score, exploitability and exposure, both from within and outside an organization. This method enables users to identify and prioritize the riskiest assets and vulnerabilities in their organization, and quickly make the best remediation decisions. So if these vulnerabilities exist within your infrastructure, Skybox will help you to build an informed understanding of how to prioritize their remediation.
Patch at the Perimeter of Your Attack Surface
Owing to the properties of these vulnerabilities – they can be exploited without any user interaction – it’s extremely important to first patch at the external perimeters of your attack surface. You don’t want to give attackers any opportunity to find a chink in your armor that they can leverage to worm their way into your critical infrastructure.
Passive Vulnerability Assessment
Finally, Skybox’s passive vulnerability assessment capabilities help out by detecting vulnerable assets as they’re exposed. There are often long periods of time between traditional scans, giving attackers the opportunity to slip in unnoticed. When dealing with such severe vulnerabilities, you can’t afford to wait for your next scan. You need to be able to act as soon as possible. Skybox works without the need for a recent vulnerability scan, identifying platforms which contain the vulnerabilities through the Microsoft System Center Configuration Manager (SCCM) patch management system (or an equivalent patch management system).
Two New Microsoft Zero-Day Vulnerabilities Revealed in One Week: A couple of months ago, there was another less-than-ideal week for Microsoft – read how the tech giant responded.
Threadkit, Formbook Exploit Old Microsoft Vulnerability – a case which shows the importance of applying patches when they’re released; even when they’re flagged as “non-critical”.