This month’s Patch Tuesday was overwhelming in the quantity, type and impact of vulnerabilities published. Among them are two possibly wormable vulnerabilities in Windows systems from Windows XP and Windows Server 2003 till the latest Server 2019 release. Additionally, researchers disclosed a pair of vulnerabilities that allow complete compromise of many Cisco network devices. Rounding out the list of dangerous vulnerabilities is a flaw in Citrix Workspace that allows attackers to steal data from endpoint machines running Citrix software.
Owing to the large variety and scope of the different vulnerabilities, Guardicore Labs has listed the vulnerabilities we consider critical to data centers. Where relevant, we provide possible workarounds and mitigations to protect systems for those who are unable to patch the vulnerable services at the moment.
|Vulnerability||Windows Remote Desktop Service||Cisco Routers||Windows DHCP Server||Citrix Workspace|
|Services||Windows Remote Desktop Service||IOS XE version 16, Trust Anchor module||Windows DHCP server role||Citrix Workspace app for Windows and Receiver for Windows|
|Vulnerable Software||XP, Server 2003, 7, Server 2008, Server 2008 R2||Listed in Cisco’s website||Server 2008 R2|
|Listed in Citrix’s website|
|Vector||Remote Code Execution, no user interaction||Secure-Boot bypass|
Remote Code Execution, no user interaction
|Remote Code Execution, no user interaction||Remote Code Execution|
Microsoft’s Remote Desktop Services – CVE-2019-0708
Without a doubt, the vulnerability with the biggest potential impact is a Remote Code Execution in Microsoft Windows Remote Desktop Services, better known as Terminal Services or RDP. The vulnerability resides in the pre-authentication phase, meaning that attackers do not need valid credentials to activate the vulnerability.
This flaw is “wormable” – once attackers successfully exploit this vulnerability, we could be facing another WannaCry style scenario. There are millions of vulnerable servers exposed to the internet and many more inside local networks. Because the vulnerability can be triggered prior to any authentication, there are no possible workarounds or defenses besides patching.
Given that this is a memory corruption vulnerability, it requires the attacker to engineer the victim’s heap in advance. However, as this should be done prior to authentication, we believe it will take some time before a stable exploit is conceived and published.
This vulnerability was reported to Microsoft by the UK’s National Cyber Security Centre (NCSC). The NCSC is responsible for protecting critical British industries and organizations, and it is possible the center discovered the vulnerability as part of an investigation into targeted attacks.
The list of vulnerable Windows operating systems is Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2.
The best response should be to patch all vulnerable machines. Microsoft has rolled out patches for all affected operating systems including those outside the official support. According to Microsoft’s advisory, activating Network Level Authentication on compatible servers will force attackers to acquire valid credentials. For more details on this feature, see Microsoft’s guide to activating Network Level Authentication.
To reduce the attack surface, defenders should limit access to Remote Desktop servers. Access from the internet should be limited to whitelisted IPs, and access to core IT servers should be limited to relevant users only. This can be easily implemented using Guardicore’s Centra.
Cisco’s Routers (or ????????????) – CVE-2019-1649, CVE-2019-1862
CVE-2019-1649, dubbed Thrangrycat, lies in the hardware design of the Trust Anchor module (TAm) – the one responsible for validating the integrity of the system’s firmware. Bypassing this mechanism, an attacker can go unnoticed while applying modifications to the system.
CVE-2019-1862 is a Remote Code Execution using command injection, found in Cisco’s IOS XE Web UI version 16.
Affecting hundreds of millions of devices, these two vulnerabilities, when chained, allow an attacker to gain full control over the Cisco hardware and through it – the entire network.
It is important to note that remote code execution vulnerabilities on Cisco appliances are not rare; over the past few years, multiple pre-authentication remote code execution flaws have been disclosed on Cisco devices. Also, the secure boot vulnerability (CVE-2019-1649) is based on a hardware flaw that will be difficult to patch.
Cisco has already published software updates for some of the vulnerable products and will publish more in the future. However, general mitigation steps may be taken regardless of the patches. These include limiting the network traffic to Cisco management interfaces so that only the relevant users – e.g. the security staff or IT team – can access them. You can do this using routing rules or with Guardicore’s Centra.
Microsoft DHCP Server – CVE-2019-0725
Microsoft’s DHCP server is a core component of many networks, which means any vulnerability in this service is critical. The vulnerability (CVE-2019-0725) is a possible remote code execution vulnerability that may allow attackers to compromise DHCP servers from any machine in the network.
Once attackers compromise a DHCP server, they can take over the addressing schema used in the network and potentially inject malicious data into the organization’s DNS servers. From there, it is typically a matter of time until attackers have full control over the network.
The vulnerability impacts Windows server versions 2008 R2, 2012, 2016 and 2019 and for all 4, Microsoft has supplied patches.
Besides patching vulnerable servers, there are no reasonable workarounds for this attack vector, as DHCP servers are required to be accessible to practically every machine in a network.
Citrix Workspace App and Receiver for Windows – CVE-2019-11634
CVE-2019-11634 is a vulnerability in Citrix’s digital workspace that gives an attacker read-write access to the client’s local drives. An attacker can generate a malicious URL and have the victim use it to establish a remote session. During this session, it takes either zero clicks or one prompt (depending on the browser) to allow the server to access the client’s files.
This is a rare attack, where loading a malicious URL is sufficient to provide attackers with full access to a victim’s PC. This situation means there exist numerous possible attack vectors, such as abusing compromised Citrix servers, or embedding malicious URLs inside infected web pages. One should highly prioritize patching for this vulnerability.
The vulnerable versions are Citrix Workspace for Windows prior to version 1904 and Receiver for Windows to LTSR 4.9 CU6 version earlier than 4.9.6001.
Citrix provides patched versions for both Workspace and LTSR in their security bulletin.
Last but not Least: Highlights from WhatsApp, Intel and Adobe
A few other vulnerabilities made the news this last week and are worth mentioning even if not strictly relevant to most data center operators.
The most notable vulnerability is CVE-2019-3568, better known as the WhatsApp call bug. This is a remote code execution bug that has been used by offensive security companies to compromise mobile phones. With an install base of over 2 billion phones, this vulnerability has the highest impact. Probably everyone reading this post should ensure their mobile phones are updated to the latest WhatsApp version.
Continuing the trend started by Meltdown and Spectre, cpu.fail is a collection of 4 new CPU design flaws in Intel processors. These vulnerabilities allow sophisticated attackers to steal sensitive information from other virtual machines running on the same host or from one browser session to another. The organizations at highest risk are those that run multi-tenant clouds. Others can handle these vulnerabilities as part of their regular patch cycles.
Adobe closes our list with yet another record-breaking amount of more than 80(!) CVEs patched in Acrobat DC, Acrobat DC reader and Flash. Organizations that use Adobe software to read PDFs should consider minimizing the attack surface of this program by running it inside a secure environment or by using non-Adobe PDF readers such as Edge or Chrome.