August, 2019 Patch Tuesday Targets Remote Desktop and Active Directory

Among the 94 vulnerabilities fixed this month by Microsoft, 29 are rated as Critical. Most importantly, the Remote Desktop Protocol (RDP) and its associated service (RDS) collect a total of 6 CVEs, which seems to show a renewed interest in the RDP protocol by vulnerability researchers; two of those classified as wormable (CVE-2019-1181 and CVE-2019-1182) by Microsoft.

Additional details can be found in the Microsoft Security Update Guide.

In addition, the company released two advisories about Active Directory, ADV190014 (Critical) and ADV190023 (Important).

This month major updates cover vulnerabilities in the following components:

  • Remote Desktop Protocol / Remote Desktop Services
  • Hyper-V
  • DHCP
  • Internet Explorer, Edge & ChakraCore
  • Microsoft Office
  • Microsoft Windows kernel (RPC, GDI, WSL)
  • Jet Database Engine
  • Visual Studio
  • Windows VBScript Engine

All of the critical vulnerabilities should be patched, as they may enable a successful attacker to take over the targeted system/service with a high level of privilege, which can later be used to compromise a network further.

The vulnerabilities CVE-2019-1181 and CVE-2019-1182 turn out to be particular nasty as only any Windows OS supporting RDP8 or RDP8.1 (Windows 7 through 10, including Server) are, by default, impacted. Network admins can enable Network Level Authentication (aka. NLA) to slow down an attacker, but NLA will not provide sufficient protection to entirely mitigate these vulnerabilities.

Affected systems that have Network Level Authentication (NLA) enabled prevent “wormable” malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.

Important updates this month

Remote Desktop Services: Following up the trend started by the “BlueKeep” vulnerability reported last May, this month PT fixes CVE-2019-1181 and CVE-2019-1182: two remote code execution vulnerabilities within the Remote Desktop Services – formerly known as Terminal Services. As with BlueKeep, little information was publicly disclosed by Microsoft, which considered the vulnerabilities wormable; but unlike BlueKeep, the vulnerabilities affect all Windows from 7 to 10. Although NLA would provide a temporary workaround to exploiting them (by forcing attacker to successfully authenticate first), the only way to secure the RDP service is by patching it. An unauthenticated successful attacker who exploited this vulnerability can execute arbitrary code on the targeted system, with the highest level of usermode privilege.

Hyper-V: An input validation issue in the VMSwitch component of Hyper-V is what an attacker could exploit in a Hyper-V guest VM to achieve remote code execution onto the Hyper-V host (designated as CVE-2019-0720). Although its exploitability was marked as “less likely”, its impact highly encourages to apply MS patches as soon as possible, along with the other Hyper-V related CVEs issued this month: CVE-2019-0714, CVE-2019-0717, CVE-2019-0718, CVE-2019-0720, CVE-2019-0715,CVE-2019-0723 and CVE-2019-0965.

Web browsers and JS engine: A total of 10 vulnerabilities affecting ChakraCore (the Edge browser JavaScript engine), Edge, and Internet Explorer were patched this month. Memory Corruption Vulnerabilities: ChakraCore and Internet Explorer were found vulnerable to a range of vulnerabilities, from simple information to type confusion vulnerability. By simply visiting a web page embedding an exploitation payload, a user can unwillingly allow an attacker to execute code with their level of privileges. The company’s patch addresses vulnerabilities with the following designations: CVE-2019-1131,CVE-2019-1139,CVE-2019-1140,CVE-2019-1141,CVE-2019-1195,CVE-2019-1196,VE-2019-1197,CVE-2019-1193,CVE-2019-1192 and CVE-2019-1030.

DHCP: DHCP has been under scrutiny over the last several months. Therefore this month is not spared with some new vulnerabilities discovered in both the Windows DHCP client and server. Despite the complexity of reliable exploitation, exploiting those vulnerabilities would result in Denial of Service, or potentially code execution. The CVEs assigned are the following: CVE-2019-0736, CVE-2019-1206, CVE-2019-1212, and CVE-2019-1213.

Windows Kernel: As usual the Windows was patched in several locations: Elevation of Privilege (EoP) in various internal components such as RPC runtime or the GDI were fixed (CVE-2019-1173,CVE-2019-1174,CVE-2019-1175,CVE-2019-1177,CVE-2019-1178,CVE-2019-1179,CVE-2019-1180,CVE-2019-1184,CVE-2019-1186,CVE-2019-1159,CVE-2019-1164,CVE-2019-1227,CVE-2019-1228, CVE-2019-1143,CVE-2019-1154,CVE-2019-1158).

How is Sophos responding to these threats?

Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation capabilities in our products.


N/V = Not Validated. The PoC code provided with MAPP advisories does not include active exploits and as such is not applicable to Intercept X testing. The IX ability to block the exploit depends on actual exploit weaponization approach which we won’t see until it’s spotted in the wild. The SAV and IPS detections developed for the PoCs do not guarantee interception of in-the-wild attacks

Additional IPS Signatures







How long does it take to have Sophos detection in place?

We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. In many cases, existing detections will catch exploit attempts without the need for updates.

What if the vulnerability/0-day you’re looking for is not listed here?

If we haven’t released an update for a specific exploit, the most likely reason is that we did not receive the data that shows how the exploit works in the real world. As many of this month’s exploits were crafted in a lab and have not been seen in the wild, nobody has enough information (yet) about how criminals would, hypothetically, exploit any given vulnerability. If or when we receive information about real attacks, we will create new detections, as needed.

Phishers are Angling for Your Cloud Providers

Aug 19

Phishers are Angling for Your Cloud Providers

Many companies are now outsourcing their marketing efforts to cloud-based Customer Relationship Management (CRM) providers. But when accounts at those CRM providers get hacked or phished, the results can be damaging for both the client’s brand and their customers. Here’s a look at a recent CRM-based phishing campaign that targeted customers of Fortune 500 construction equipment vendor United Rentals.

Stamford, Ct.-based United Rentals [NYSE:URI] is the world’s largest equipment rental company, with some 18,000 employees and earnings of approximately $4 billion in 2018. On August 21, multiple United Rental customers reported receiving invoice emails with booby-trapped links that led to a malware download for anyone who clicked.

While phony invoices are a common malware lure, this particular campaign sent users to a page on United Rentals’ own Web site (

A screen shot of the malicious email that spoofed United Rentals.

In a notice to customers, the company said the unauthorized messages were not sent by United Rentals. One source who had at least two employees fall for the scheme forwarded KrebsOnSecurity a response from UR’s privacy division, which blamed the incident on a third-party advertising partner.

“Based on current knowledge, we believe that an unauthorized party gained access to a vendor platform United Rentals uses in connection with designing and executing email campaigns,” the response read.

“The unauthorized party was able to send a phishing email that appears to be from United Rentals through this platform,” the reply continued. “The phishing email contained links to a purported invoice that, if clicked on, could deliver malware to the recipient’s system. While our investigation is continuing, we currently have no reason to believe that there was unauthorized access to the United Rentals systems used by customers, or to any internal United Rentals systems.”

United Rentals told KrebsOnSecurity that its investigation so far reveals no compromise of its internal systems.

“At this point, we believe this to be an email phishing incident in which an unauthorized third party used a third-party system to generate an email campaign to deliver what we believe to be a banking trojan,” said Dan Higgins, UR’s chief information officer.

United Rentals would not name the third party marketing firm thought to be involved, but passive DNS lookups on the UR subdomain referenced in the phishing email (used by UL for marketing since 2014 and visible in the screenshot above as “”) points to Pardot, an email marketing division of cloud CRM giant Salesforce.

Companies that use cloud-based CRMs sometimes will dedicate a domain or subdomain they own specifically for use by their CRM provider, allowing the CRM to send emails that appear to come directly from the client’s own domains. However, in such setups the content that gets promoted through the client’s domain is actually hosted on the cloud CRM provider’s systems.

Salesforce told KrebsOnSecurity that this was not a compromise of Pardot, but of a Pardot customer account that was not using multi-factor authentication.

“UR uses a third party marketing agency that utilizes the Pardot platform,” said Salesforce spokesman Bradford Burns. “The third party marketing agency is who was compromised, not a Pardot employee.”

This attack comes on the heels of another targeted phishing campaign leveraging Pardot that was documented earlier this month by Netskope, a cloud security firm. Netskope’s Ashwin Vamshi said users of cloud CRM platforms have a high level of trust in the software because they view the data and associated links as internal, even though they are hosted in the cloud.

“A large number of enterprises provide their vendors and partners access to their CRM for uploading documents such as invoices, purchase orders, etc. (and often these happen as automated workflows),” Vamshi wrote. “The enterprise has no control over the vendor or partner device and, more importantly, over the files being uploaded from them. In many cases, vendor- or partner-uploaded files carry with them a high level of implicit trust.”

Cybercriminals increasingly are targeting cloud CRM providers because compromised accounts on these systems can be leveraged to conduct extremely targeted and convincing phishing attacks. According to the most recent stats (PDF) from the Anti-Phishing Working Group, software-as-a-service providers (including CRM and Webmail providers) were the most-targeted industry sector in the first quarter of 2019, accounting for 36 percent of all phishing attacks.

Image: APWG

Update, 2:55 p.m. ET: Added comments and responses from Salesforce.

Tags: Anti-Phishing Working Group, Ashwin Vamshi, cloud customer relationship management, CRM phishing, Netskope, Pardot, Salesforce, United Rentals

You can skip to the end and leave a comment. Pinging is currently not allowed.

Attacking the Intel Secure Enclave

Interesting paper by Michael Schwarz, Samuel Weiser, Daniel Gruss. The upshot is that both Intel and AMD have assumed that trusted enclaves will run only trustworthy code. Of course, that’s not true. And there are no security mechanisms that can deal with malicious enclaves, because the designers couldn’t imagine that they would be necessary. The results are predictable.

The paper: “Practical Enclave Malware with Intel SGX.”

Abstract: Modern CPU architectures offer strong isolation guarantees towards user applications in the form of enclaves. For instance, Intel’s threat model for SGX assumes fully trusted enclaves, yet there is an ongoing debate on whether this threat model is realistic. In particular, it is unclear to what extent enclave malware could harm a system. In this work, we practically demonstrate the first enclave malware which fully and stealthily impersonates its host application. Together with poorly-deployed application isolation on personal computers, such malware can not only steal or encrypt documents for extortion, but also act on the user’s behalf, e.g., sending phishing emails or mounting denial-of-service attacks. Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code-reuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer. We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. With our results, we seek to demystify the enclave malware threat and lay solid ground for future research on and defense against enclave malware.

Posted on August 30, 2019 at 6:18 AM