Time to Patch: New Wormable Vulnerabilities Found in Modern Versions of Windows
Microsoft is advising Windows users, including users of modern versions of Windows, to apply the recently released security update as this latest update fixes 2 wormable vulnerabilities.
What Is Wormable Vulnerability?
Wormable vulnerability refers to a security vulnerability in which future malicious software (malware) that exploits this vulnerability could spread from vulnerable computer to vulnerable computer without user interaction, specifically replicating itself in order to spread to other computers.
CVE-2019-1181 and CVE-2019-1182are the 2 wormable vulnerabilities that Microsoft fixed in its latest update. Both security vulnerabilities CVE-2019-1181 and CVE-2019-1182 allow an attacker to send a specially crafted request to the target Windows systems via Remote Desktop Protocol (RDP) – a proprietary protocol developed by Microsoft, allowing a user to connect to another computer over a network connection.
According to Microsoft, an attacker who successfully exploits either of these 2 vulnerabilities could remotely execute malicious code on the target systems and install programs; view, change, or delete data; or create new accounts with full user rights. Simon Pope, Director of Incident Response at Microsoft Security Response Center (MSRC), in a blog post said, CVE-2019-1181 and CVE-2019-1182 are both “wormable”, which means that future malware that exploits these software flaws could propagate from vulnerable computer to vulnerable computer without user intervention.
Versions of Windows affected by CVE-2019-1181 and CVE-2019-1182 are all supported versions of Windows 10, including server versions, Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2.
In May this year, Microsoft released another security update fixing the security vulnerability CVE-2019-0708, also known as BlueKeep. While CVE-2019-1181 and CVE-2019-1182 affected newer versions of Windows, BlueKeep affected older versions of Windows, including Windows 2003, Windows XP, Windows 7, Windows Server 2008 R2 and Windows Server 2008.
Similar to security vulnerabilities CVE-2019-1181 and CVE-2019-1182, BlueKeep also allows remote code execution via RDP and is also wormable. Pope, in another blog post, said that BlueKeep is wormable “in a similar way as the WannaCry malware spread across the globe in 2017”.
WannaCry Malware
WannaCry is an example of a malware that exploits a wormable vulnerability. This malware affected unpatched older versions of Windows and out-of-support Windows. On May 12, 2017, WannaCry spread like wildfire across 150 countries and infected hundreds of thousands of computers in less than 24 hours.
WannaCry specifically exploited the Server Message Block (SMB) in the affected versions of Windows. SMB is a standard protocol Windows uses for sharing access to files, printers and other resources on a network.
Once a computer is infected with WannaCry, the files inside are then encrypted and a ransom demand to decrypt the files is then displayed on the computer screen. After infecting a computer, WannaCry then replicates itself and spread to other computers within the network.
Paying the WannaCry attacker or attackers ransom is a futile exercise as decryption keys aren’t returned and files can’t be restored even after payment. According to researchers at McAfee, WannaCry’s decryption doesn’t work as the authors of the malware omitted a link between payment and the unique ID.
The spread of the WannaCry malware was stopped when Marcus Hutchins, also known as MalwareTech, after getting a sample of the WannaCry malware, noticed that the malware contacted an unregistered domain. Hutchins promptly registered this domain, effectively sinkholing the malware. Part of his job at the time, Hutchins said, was to look for unregistered or expired domains belonging to active malware and point it to their sinkhole – a server designed to capture the malware’s malicious traffic and thereby preventing the malicious actors from controlling the infected computers.
Prevention
According to Pope from Microsoft Security Response Center, to date, there’s no evidence that the latest wormable vulnerabilities CVE-2019-1181 and CVE-2019-1182 are known to any third party. The exploit for CVE-2019-0708 or BlueKeep, meanwhile, is publicly available.
In late July this year, Immunity Inc., which was acquired by Cyxtera in June 2018, announced via its Twitter accountthat it’s including a fully-working BlueKeep exploit as part of CANVAS, the company’s penetration-testing toolkit.
“This vulnerability [BlueKeep] is known and any reasonably competent exploit writer could write an exploit for it based on publicly available information,” Chris Day, Cyxtera’s Chief Cybersecurity Officer and GM, Threat Management and Analytic, told ZDNet. “We happen to be the first commercial company to include this in our product so companies can test to see if their exposed RDP-enabled systems are actually secure against the vulnerability.” Day added that their version of BlueKeep exploit isn’t “self-propagating [worm]”.
For CVE-2019-1181, CVE-2019-1182 and BlueKeep, affected systems that enable Network Level Authentication (NLA) are partially protected as NLA requires authentication before the said vulnerabilities can be triggered. According to Microsoft, affected systems are still vulnerable to remote code execution exploitation if the attacker has valid credentials to successfully authenticate.
The best defense against wormable vulnerabilities, including CVE-2019-1181, CVE-2019-1182, BlueKeep, and the one exploited by WannaCry, is by applying the latest security update. It’s also important to refrain from using out-of-support operating systems – those that no longer receive regular updates from the software vendor.
In the WannaCry outbreak, a portion of those infected with the malware were legacy systems – those that no longer receive regular updates from Microsoft. In the case of the BlueKeep vulnerability, in order to prevent a WannaCry scenario, Microsoft made available a security update to out-of-support operating systems.
Out expert team can help you with the critical patching and provide on-going support so that you can focus on growing your business.
Contact us today at sales@genx.caor call (416) 920-3000