de | English
IT Security Aug 21, 2019

„DejaBlue“: More weak spots in Microsoft's Remote Desktop Protocol (RDP).

Only a few months after the discovery of CVE-2019-0708—BlueKeep—Microsoft released patches for four other weaknesses. As "BlueKeep” did before, the vulnerabilities called "DejaBlue" allow the execution of arbitrary code on vulnerable systems (CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1226).

Share article

The Federal Office for Information Security (BSI) estimates that at least two of the weaknesses are prone to worms. This means that malware is able to spread itself without user interaction. Making weaknesses critical. They can lead to outbreaks such as “WannaCry” and “NotPetya” whereby a large number of systems are compromised.

Successful exploitation of vulnerabilities enables attackers to run arbitrary code with administrator rights on the target system. For this, attackers need to send a specially formatted request to the Remote Desktop Services with RDP.

 

What systems are affected?

Weaknesses affect the following Windows systems on which Remote Desktop Services are activated:

  • Windows 10
  • Windows 8.1
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2

How can you protect yourself?

It is recommended to install the relevant security updates as soon as possible after their release. Alternatively, users can disable Remote Desktop Services if they are not needed. As a workaround, users can enable the Network Level Authentication (NLA). This previous authentication with a new user account before weaknesses can be exploited. Another workaround is to block TCP port 3389 to the firewall, whereby the system is protected from attacks behind the firewall. This can help protect the system from attacks from the internet; it remains however, vulnerable to attacks within the network.

charles-kionga_01.png
Charles Kionga
Principal Consultant Geschäftsbereichsleitung IT-Security