Microsoft Windows RDP RCE Vulnerability: DejaBlue

A similar Microsoft Windows vulnerability was released about 3 months after the K BlueKeep z (CVE-2019-0708) vulnerability, which was published in the Microsoft Patch Tuesday security bulletin on May 14, 2019.

This vulnerability, called ja DejaBlue ((CVE-2019-1181 / 1182), allows intruders to remotely run remote code via the Microsoft Windows RDP service. Similar to BlueKeep, which was published in May, and its recent release, it has given many people a “dejavu” and named it in this way. CVE codes of vulnerability are as follows;

CVE-2019-1181
CVE-2019-1182
CVE-2019-1222
CVE-2019-1226
It is known that vulnerability is caused by a problem in communication in the early stages of the connection. This can be exploited with specially crafted packages without requiring any user name and password.

When the vulnerability is exploited, the attacker will be able to execute any command, delete files, copy or perform other operations on the operating system without permission.

The exploit code or PoC code has not yet been published with limited information on vulnerability.

It is possible for such a critical (RCE) vulnerability to be orm wormable dahilinde in the examinations. With the release of the PoC code, the exploit code can be written or converted. If this type of vulnerability could be armed, an attack the size of “WannaCry abilir could occur.

 

VULNERABLE VERSIONS

Windows 10 Version 1607
Windows 10 Version 1703
Windows 10 Version 1709
Windows 10 Version 1803
Windows 10 Version 1809
Windows 10 Version 1903
Windows 7
Windows 8.1
Windows RT 8.1
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server, Version 1803


SOLUTION

To resolve the vulnerability, the published update must be installed. You can reach these patches from the link below.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2019-1181
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2019-1182
In addition, enabling Network Level Authentication (NLA) on RDP services is recommended as an additional security measure.

 

REFERENCES

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2019-1181
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2019-1182

Covid-19 Mobil Tehdit Raporu
IP_Covid19_Mobile_Report
SolarWinds Zafiyeti (CVE-2020-7984)
SolarWinds Zafiyeti (CVE-2020-7984)
HoneyPot Network
Cyber Intelligence Report 13 April 2020
Top