Microsoft Windows users should be well aware that there are a number of dangerous vulnerabilities which have recently been detected. They are four and appear to be very similar to the BlueKeep Flaw on which we reported earlier. These bugs allow malicious to carry out Remote Desktop Protocol (RDP) attacks and take over control of the target computers. The flaws are particularly dangerous as they allow easy access into thousands of hosts worldwide.
CVE-2019-1181: The Four BlueKeep-like Vulnerabilities Can Be Used in Global Attacks
Thousands of Microsoft Windows users are risk of being hacked due to a new set of vulnerabilities that have just been announced. Reports indicate that they are labeled as Bluekeep-Like due to the fact that they abuse a flaw in the Remote Desktop Protocol (RDP) used to carry out remote login sessions. This is particularly worrying in company networks where the hackers can easily penetrate several hosts at once.
The attacks can be done by using a special hacking tool that is capable of carrying out active RDP scanning against IP ranges. If an unpatched system is detected the platforms will instantly probe the hosts with the vulnerabilities. No user interaction is required to commit the flaws.
CVE-2019-0708: BlueKeep Vulnerability Leveraged Against Hospitals
The worrying factor is that the vulnerabilities affect many versions of the Microsot Windows operating system:
Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008
The four vulnerabilities that are part of this collection includes the following:
- CVE-2019-1181 — A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- CVE-2019-1182 — A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- CVE-2019-1222 — A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- CVE-2019-1226 — A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
At the moment there are no known impacted systems and attacks in the wild. Instead of merely creating the possibility to take over control of the systems with a Trojan host the BlueKeep-like vulnerabilities can be used to implant dangerous threats such as ransomware or cryptocurrency miners among others. Microsoft has released security updates that should be applied as soon as possible to prevent any possible hacker abuse.