Microsoft’s August Patch Tuesday release contains updates for 93 CVEs, including 29 that are rated critical in severity. The highest priority of these include four critical remote code-execution (RCE) vulnerabilities in Remote Desktop Services (RDS) and a critical RCE flaw in Microsoft Word.
Also, two of the RDS bugs are wormable, allowing an exploit to self-propagate from PC to PC without user interaction, thus setting the scene for a global, fast-moving infection wave. Microsoft warned that these are as dangerous as the now-infamous BlueKeep vulnerability — but easier to exploit.
Remote Desktop Services and Word
The RDS flaws (CVE-2019-1181 and CVE-2019-1182, CVE-2019-1222, CVE-2019-1226) can be exploited without authentication or user interaction, according to a Microsoft special bulletin; an attacker connecting to a vulnerable system using the Remote Desktop Protocol (RDP) needs only to send a specially crafted request in order to gain arbitrary code execution on the system. This opens the door to malicious activities like creating a new account with full user rights, installing programs, and viewing, changing or deleting data.
“An attacker can get code execution at system level by sending a specially crafted pre-authentication RDP packet to an affected RDP service,” explained Trend Micro’s Zero Day Initiative (ZDI), in commentary on Tuesday.
Making matters worse, two of these (CVE-2019-1181, CVE-2019-1182) are wormable. And all four “receive Microsoft’s highest exploitability ranking, meaning we could likely see multiple RDP exploits circulating in the near future,” according to ZDI.
Meanwhile, the critical RCE bug in Microsoft Word (CVE-2019-1201) is due to an improper handling of objects in memory. Of note here is the fact that an exploit does not require someone to actually open a crafted Word document – it attacks the Outlook Preview Pane.
“An attacker could exploit this flaw by creating a specially crafted Microsoft Word file and convincing their victim to open the file on a vulnerable system, either by attaching it to a malicious email or hosting it on a malicious website,” said Satnam Narang, senior research engineer at Tenable, in emailed commentary. “Microsoft notes that the Outlook Reading/Preview Pane is an attack vector, meaning the vulnerability could be exploited by merely viewing the email without opening an attachment. Successful exploitation would allow an attacker to perform actions on the system using the same permissions as the current user.”
Other Critical Concerns
As for the rest of the Patch Tuesday updates, there are no zero-days or publicly disclosed vulnerabilities for the first time in several months. But other notable critical vulnerabilities are included.
One of these, CVE-2019-9506, is a key negotiation vulnerability in the hardware specification level for all Bluetooth Classic devices. It could allow an attacker within Bluetooth range to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes – thus interfering with the device’s transmissions. It affects Windows 10, Windows 8.1, Windows 7 and Windows Server.
“It requires specialized hardware to exploit but can allow wireless access and disruption within Bluetooth range of the device being attacked,” said Chris Goettl, director of product management for security at Ivanti, via email. “Microsoft provided an update to address the issue, but the new functionality is disabled by default. You must enable the functionality by setting a flag in the registry.”
Users would need to apply the update then enable the registry key that then enforces a default 7-octet minimum key length.
Another patch corrects a wormable RCE bug (CVE-2019-0736) in the DHCP client that impacts every supported Microsoft OS.
The flaw “could allow code execution if an attacker sends a specially crafted packet to an affected client,” according to ZDI. “There’s no user interaction or authentication involved, so this CVE is also theoretically wormable. Every supported Microsoft OS is impacted by this bug, so an exploit would have a broad selection of targets.”
Microsoft also patched a wormable RCE (CVE-2019-1188) in Windows that involves the parsing of LNK files (a.k.a. shortcuts). This vulnerability could allow an attacker to automatically run a malicious binary against a target; and, it can spread inside of a network through file shares, according to commentary from Qualys.
Two remote code execution vulnerabilities (CVE-2019-0720 and CVE-2019-0965) are patched in Hyper-V and Hyper-V Network Switch that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but still says that patches be prioritized for Hyper-V systems.
“Looking at the other critical-rated patches, the two Hyper-V bugs definitely stand out,” according to ZDI. “Both could allow an attack on a guest OS to execute code on the underlying host OS.”
Rounding out the critical flaws Microsoft Graphics Component, where viewing a specially crafted embedded font on an affected system would result in code execution at the level of the logged-on user; 10 different browser-related patches for flaws allowing code execution by browsing to a malicious website; and additional patches similar to the Word bug, which use the Preview Pane is an attack vector.
“There’s a good chance malware authors will seek to include these in future attacks,” according to ZDI.