Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Roundup for Microsoft’s August 2019 Patch Tuesday: DejaBlue

Microsoft’s August 2019 Security Updates, released on August 13, address over 90 vulnerabilities, 29 of which are critical.

Microsoft’s August 2019 Patch Tuesday release contains updates for 93 CVEs, 29 of which are rated Critical. This month brings patches for the usual suspects, namely the various flavors of Microsoft Windows, Office Products, Browsers IE and Edge, as well as Microsoft Dynamics, to name a few. As always, we recommend administrators take immediate action and ensure patches are applied across your organization. In cases where immediate patching is not an option, mitigation steps should be followed as per Microsoft’s recommendations. While none of the CVE’s this month appears to be exploited in the wild yet, several are likely to be exploited. Here, we break down and highlight a few of the most important CVEs from this month’s release.

CVE-2019-1181 & CVE-2019-1182 & CVE-2019-1222 & CVE-2019-1226 | Remote Desktop Services Remote Code Execution Vulnerability

Coming mere months after the May release of CVE-2019-0708 (BlueKeep), Microsoft released patches for four critical remote code execution vulnerabilities in Remote Desktop Services, dubbed DejaBlue by researcher Michael Norris. Exploitation requires little more than sending a specially crafted request to a targeted system’s Remote Desktop Service via RDP. The vulnerability can be exploited pre-authentication and requires no user interaction, making these bugs incredibly dangerous. Successful exploitation would allow an attacker to execute arbitrary code on a targeted host. CVE-2019-1181 and CVE-2019-1182 both offer mitigation options from Microsoft, similar to those offered around BlueKeep; Enabled Network Level Authentication (NLA) and Block TCP port 3389 at the perimeter firewall (Assuming the default port is in use on your hosts). While Microsoft notes these have not been exploited, it’s very likely that a Proof of Concept (PoC) will surface in the near future.

Additionally, three related CVEs were patched affecting Windows Remote Desktop Protocol. CVE-2019-1223 is a Denial of Service (DoS) vulnerability, while CVE-2019-1224 and CVE-2019-1225 are both information disclosure vulnerabilities. While Microsoft only rates these three vulnerabilities as important, it’s encouraging to see so much focus around RDP in the wake of BlueKeep and improving the security of a crucial component in Windows.

CVE-2019-0736 | Windows DHCP Client Remote Code Execution Vulnerability

A memory corruption vulnerability exists in the Windows DHCP client. A remote unauthenticated attacker could send a malicious DHCP response to a vulnerable machine, which the target then executes as code with SYSTEM permissions. DHCP also saw an update for CVE-2019-1213, a memory corruption vulnerability in Windows Server DHCP that could lead to remote code execution, along with two Denial of Service Vulnerabilities CVE-2019-1206 and CVE-2019-1212.

CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in the Windows Operating System Advanced Local Procedure Call (ALPC). If an attacker has gained login access via some other means to a vulnerable host, that attacker could then execute malicious code that runs with SYSTEM permissions, rather than being restricted by the current user’s session permissions. CVE-2019-1162 is credited to Tavis Ormandy of Google Project Zero, who today published details of the work around finding the flaw. In addition to the research, Tavis also released a tool to ease in finding these flaws, and we expect to see more on this front in future months.

CVE-2019-1201 & CVE-2019-1205 | Microsoft Word Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Microsoft Word. A specially crafted file could perform actions and run commands as the current user. Successful exploitation would require social engineering to get the target user to execute a malicious file, either through sending that file to the targeted user, or hosting the malicious file on a website with which the target user interacts. This vulnerability still requires the end user to open the malicious Word file to be executed. An interesting detail found in the advisories: Microsoft Outlook Preview Pane is an attack vector for these vulnerabilities. A related CVE, CVE-2019-1200 in Microsoft Outlook, could also lead to remote code execution by enticing a user to open a specially crafted file.

CVE-2019-0965 | Windows Hyper-V Remote Code Execution Vulnerability

A remote code execution vulnerability exists when Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. While exploitation does require the attacker to be able to execute a crafted application on a guest operating system, this highlights the dangers of insider threats. While exploitation is less likely in this scenario, Microsoft still rates the severity as Critical, since arbitrary code could be executed on the host operating system.

Tenable Solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name Contains August 2019.

Microsoft August 2019 Patch Tuesday Tenable plugins

With that filter set, click on the plugin families to the left, and enable each plugin that appears on the right side. Note that if your families on the left say Enabled then that means all of the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

Microsoft August 2019 Patch Tuesday update Tenable plugins

A list of all of the plugins released for Tenable’s August 2019 Patch Tuesday update can be found here.

Learn more:

订阅 Tenable 博客

订阅
免费试用 立即购买

选择 Tenable.io

免费试用 60 天

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即注册。

立即购买 Tenable.io

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

65资产

$2,275.00

立即购买

免费试用 立即购买

免费试用 Nessus Professional

免费试用 7 天

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买 Nessus Professional

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

免费试用 立即购买

试用 Tenable.io Web Application Scanning

免费试用 60 天

完整享有专为现代化应用程序而设、属于 Tenable.io 平台组成部分的最新 Web 应用程序扫描功能。可安全扫描全部在线资产组合的漏洞,具有高度准确性,而且无需繁重的手动操作或中断关键的 Web 应用程序。 立即注册。

购买 Tenable.io Web Application Scanning

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

5 FQDN

$3,578.00

立即购买

免费试用 联系销售人员

试用 Tenable.io Container Security

免费试用 60 天

完整获得已集成至漏洞管理平台之唯一容器安全产品的功能。监控容器映像中的漏洞、恶意软件和策略违规。与持续集成和持续部署 (CI/CD) 系统进行整合,以支持 DevOps 实践、增强安全性并支持企业政策合规。

购买 Tenable.io Container Security

Tenable.io Container Security 经由与构建流程的集成,可供全面了解容器映像的安全性,包括漏洞、恶意软件和策略违规,借以无缝且安全地启用 DevOps 流程。

了解有关 Industrial Security 的详情

获取 Tenable.sc 演示

请将您的联系方式填写在下方表格中,我们的销售代表很快与您联系安排演示。您也可以写下简短评论(不得超过 255 个字符)。请注意,带星号 (*) 的字段为必填项。