A Cisco Talos researcher discovered this vulnerability. Blog by Jon Munshaw.
Cisco Talos recently discovered two issues in two implementations of Microsoft Remote Desktop Services: a denial-of-service vulnerability that affects Windows 7/Windows Server 2008 (when RDP 8.0 is enabled), Windows 8/Server 2012, and Windows 10/Server 2016. The Remote Desktop Protocol is used by Remote Desktop Services in order to allow a user or administrator to take control of a remote machine via a network connection. The denial-of-service vulnerability exists after the connection setup when one is able to perform the license exchange, and the information leak vulnerabilities exist during the connection setup of the process where the client and the server negotiate various aspects relevant to the session They could be exploited by an attacker to cause a denial of service or leak information, respectively. Microsoft disclosed these issues as part of December’s Patch Tuesday. For more on the company’s latest security updates, check out Talos’ full blog here, and our Snort coverage here.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers. Microsoft is providing a patch for all of the affected versions of Windows with regards to the denial of service vulnerability but has declined to provide a patch for the Windows XP vulnerability due to the fact that it is out of support. It is recommended that users of Windows XP upgrade to a more recent operating system.
Vulnerability details Microsoft Remote Desktop Services (RDP8) license negotiation denial-of-service vulnerability (TALOS-2019-0901/CVE-2019-1453)
An exploitable denial-of-service vulnerability exists in the RDP8 implementation of Microsoft's Remote Desktop Services. A certain component of license negotiation can allow a remote client to read an arbitrary amount of memory that is controlled by the client. Due to this, a client can coerce the component to either make a repeatable controlled allocation or read from memory that is unmapped, resulting in a denial-of-service condition. An attacker can negotiate capabilities and then send a particular packet type in order to trigger this vulnerability.
Read the complete vulnerability advisory here for additional information.
Microsoft Remote Desktop Services (RDP7) Windows XP multiple information leak vulnerabilities (TALOS-2019-0895/CVE-2019-1489)
Exploitable information leak vulnerabilities exist in the RDP7 implementation of Microsoft's Remote Desktop Services on Windows XP. Various aspects of the T.128 protocol, such as capability negotiation, can cause an information leak, which can provide an attacker with information about the target's address-space. An attacker can trigger these vulnerabilities by simply negotiating capabilities with the target via T.128 and examining the data that is returned.
Read the complete vulnerability advisory here for additional information.
Versions tested Talos tested and confirmed that Microsoft's Remote Desktop Services running on Windows 7 RdpCoreTS.dll, version 6.2.9200.22828, is affected by TALOS-2019-0901. TALOS-2019-0895 affects RDP on Windows XP only, running RDPWD.sys 5.1.2600.5512 and termdd.sys 5.1.2600.5512.
Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 51649