安全公告
当前位置: 首页>>安全公告>>正文

远程执行代码漏洞预警 | 微软8月安全更新补丁多个高危漏洞预警

2019年09月17日 10:42


 

1.安全公告


2019年8月13日,微软发布了8月份安全更新补丁,其中包含多个可能被利用的远程桌面服务远程执行代码漏洞,CVE编号:CVE-2019-1181、CVE-2019-1182、CVE-2019-1222、CVE-2019-1226,以及可能导致信息泄露的CVE-2019-1224、CVE-2019-1225,漏洞公告:

https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2019-1181

https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2019-1182

https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2019-1222

https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2019-1226

https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2019-1224

https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2019-1225


根据公告,该漏洞与5月14号发布的CVE-2019-0708远程桌面服务远程执行代码漏洞类似,无需身份验证,无需用户交互,成功利用此漏洞的攻击者可以在目标系统上执行任意代码,建议尽快更新安全更新补丁。

CVE-2019-0708漏洞公告:

https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2019-0708


月度安全更新补丁中还包含多个HTTP/2 协议堆栈 (HTTP.sys) 拒绝服务漏洞,CVE编号:CVE-2019-9511、CVE-2019-9512、CVE-2019-9513、CVE-2019-9518,成功利用此漏洞可以导致目标系统停止响应,从而引发拒绝服务,漏洞公告:

https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2019-9511

https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2019-9512

https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2019-9513

https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2019-9518


8月更新说明参考:

https://portal.msrc.microsoft.com/zh-cn/security-guidance/releasenotedetail/312890cc-3673-e911-a991-000d3a33a34d


2.影响版本


CVE-2019-1181、CVE-2019-1182影响系统版本:

Windows 10 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1703 for 32-bit Systems

Windows 10 Version 1703 for x64-based Systems

Windows 10 Version 1709 for 32-bit Systems

Windows 10 Version 1709 for 64-based Systems

Windows 10 Version 1709 for ARM64-based Systems

Windows 10 Version 1803 for 32-bit Systems

Windows 10 Version 1803 for ARM64-based Systems

Windows 10 Version 1803 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows 10 Version 1903 for x64-based Systems

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows 8.1 for 32-bit systems

Windows 8.1 for x64-based systems

Windows RT 8.1

Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Core installation)

Windows Server 2016

Windows Server 2016 (Server Core installation)

Windows Server 2019

Windows Server 2019 (Server Core installation)

Windows Server, version 1803 (Server Core Installation)

Windows Server, version 1903 (Server Core installation)


CVE-2019-1222、CVE-2019-1226影响系统版本:

Windows 10 Version 1803 for 32-bit Systems

Windows 10 Version 1803 for ARM64-based Systems

Windows 10 Version 1803 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows 10 Version 1903 for x64-based Systems

Windows Server 2019

Windows Server 2019 (Server Core installation)

Windows Server, version 1803 (Server Core Installation)

Windows Server, version 1903 (Server Core installation)


CVE-2019-1224、CVE-2019-1225影响系统版本:

Windows 10 Version 1803 for 32-bit Systems

Windows 10 Version 1803 for ARM64-based Systems

Windows 10 Version 1803 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows 10 Version 1903 for x64-based Systems

Windows Server 2019

Windows Server 2019 (Server Core installation)

Windows Server, version 1803 (Server Core Installation)

Windows Server, version 1903 (Server Core installation)


CVE-2019-9511、CVE-2019-9512、CVE-2019-9513、CVE-2019-9518影响系统版本:

Windows 10 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1703 for 32-bit Systems

Windows 10 Version 1703 for x64-based Systems

Windows 10 Version 1709 for 32-bit Systems

Windows 10 Version 1709 for 64-based Systems

Windows 10 Version 1709 for ARM64-based Systems

Windows 10 Version 1803 for 32-bit Systems

Windows 10 Version 1803 for ARM64-based Systems

Windows 10 Version 1803 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows 10 Version 1903 for x64-based Systems

Windows Server 2016

Windows Server 2016 (Server Core installation)

Windows Server 2019

Windows Server 2019 (Server Core installation)

Windows Server, version 1803 (Server Core Installation)

Windows Server, version 1903 (Server Core installation)

3.缓解措施


高危:目前针对该漏洞的细节分析和利用代码暂未公开,不过攻击者可以通过补丁对比方式分析出漏洞触发点,进而开发漏洞利用代码,建议尽快进行安全更新或做好安全加固配置。


针对启用远程桌面服务的安全运营建议:

推荐启用网络级别身份验证(NLA)的方法能缓解攻击尝试,选择“仅允许运行使用网络级别身份验证的远程桌面的计算机连接(建议)”


如果需要开启远程桌面进行系统管理,建议开启系统防火墙或IP安全策略限制来源IP,即只允许指定IP访问;

启用本地安全策略(账户策略-密码策略),建议开启密码必须符合复杂性要求和长度最小值,以及启用账户锁定阀值;

考虑使用双因素身份验证措施,比如启用动态Key方式;

保持系统安全更新补丁为最新状态,远程桌面协议(RDP)为内核服务,安装安全更新补丁后需要重启系统生效;

开启系统日志记录或网络安全设备日志记录对访问该端口的源IP进行记录和存档,以便预警和分析其入侵企图;

考虑在核心交换机部署流量分析设备,发现对远程桌面服务端口(默认是TCP3389)暴力破解密码的攻击行为,及时对攻击IP做限定访问的策略。


对于HTTP/2 协议堆栈 (HTTP.sys) 拒绝服务漏洞,可以临时设置注册表键值缓解:

HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters路径的EnableHttp2TIs和EnableHttp2Cleartext值设置为以下之一:

设置为 0 以禁用 HTTP/2

设置为 1 以启用 HTTP/2


威胁推演:此漏洞为远程代码执行漏洞,基于全球启用该服务的数量和暴露在网上的端口情况,恶意攻击者可能会开发针对该漏洞的自动化攻击程序,实现漏洞利用成功后自动植入后门程序,并进一步释放矿工程序或是DDOS僵尸木马等恶意程序达到蠕虫传播,从而影响到系统服务的正常提供。


微软补丁更新建议:微软每月第二周周二会定期发布安全更新补丁,建议企业订阅和关注官方安全更新公告,及时测试补丁或做更新。



转载自安恒应急响应中心

上一条:关于Linux远程DoS漏洞的安全公告 下一条:关于防范微软远程桌面服务漏洞攻击的紧急通知

关闭