Microsoft warns of two new 'wormable' flaws in Windows Remote Desktop Services

Microsoft warns of BlueKeep II & III. Says they're wormable, just like the original BlueKeep vulnerability.
Written by Catalin Cimpanu, Contributor

Microsoft said today it patched two new major security flaws in the Windows Desktop Services package.

These two vulnerabilities are similar to the vulnerability known as BlueKeep (CVE-2019-0708). Microsoft patched BlueKeep in May and warned that attackers could abuse it to create "wormable" attacks that spread from one computer to another without user interaction.

Today, Microsoft said it patched two other BlueKeep-like security flaws, namely CVE-2019-1181 and CVE-2019-1182 (nicknamed DejaBlue by the infosec community).

Just like BlueKeep, these two new bugs are wormable, and they also reside in the Windows Remote Desktop Services (RDS) package.

Affected versions

"The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions," said Simon Pope, Director of Incident Response at the Microsoft Security Response Center (MSRC).

"Windows XP, Windows Server 2003, and Windows Server 2008 are not affected," he said.

Pope said Microsoft found these vulnerabilities internally, while trying to harden and improve the security posture of the RDS package.

Remote Desktop Services (RDS) is the Windows component that allows a user to take control of a remote computer or virtual machine over a network connection. In some earlier Windows versions, RDS was known as Terminal Services.

A race to patch before attacks get underway

Just like it did with the BlueKeep flaw, Pope is advising users and companies to patch their systems as quickly as possible, to prevent exploitation.

Although BlueKeep was disclosed three months ago, no attacks have been detected at the time of writing, although BlueKeep exploits have been created and shared around.

Nevertheless, it's better to be safe than sorry, so patching CVE-2019-1181 and CVE-2019-1182 should be at the top of every system administrator's list this week and this Patch Tuesday.

"There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled," Pope said. "The affected systems are mitigated against "wormable" malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered.

"However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate," Pope said.

Updated on August 23, 5:30am ET, to add the "DejaBlue" moniker and remove a statement that the flaws couldn't be exploited via RDP due to contrary evidence, and despite Microsoft's initial claims.

HackerOne's top 20 public bug bounty programs

More vulnerability reports:

Editorial standards