On Tuesday May 14th, 2019 Microsoft released their monthly patches with two very highly rated vulnerabilities that organizations should review during their monthly patch review processes.
Microsoft released a patch to address CVE-2019-0863, which is currently being utilized in the wild to allow an attacker to elevate their access on a compromised host from a regular account to an admin user granting them full control over the system. The vulnerability was disclosed to Microsoft through PolarBear and Palo Alto Networks, but has been listed on Microsoft's website as publicly disclosed and thus should be considered a high risk within an organization.
The second noteworthy vulnerability Microsoft fixed, CVE-2019-0708, should be a focus for organizations that still have older operating systems in their environment. Microsoft took the unusual step of releasing an update for out-of-support operating systems Windows XP and Windows Server 2003, in addition to Windows 7, 2008, and 2008 R2. This particular vulnerability if exploited can be used as a worm throughout an organization, similar to that of Wannacry. Though Microsoft stated they are not currently aware of any active exploitation of this vulnerability, they are attempting to be proactive with a patch.
For CVE-2019-0863, an attacker is able to elevate their privileges to an admin level by utilizing the Windows Error Reporting (WER) service that interacts with files. Neither Microsoft, PolarBear, nor Palo Alto Networks have released much detail around this particular vulnerability in order to give users more time to patch the vulnerability before exploits appear.
CVE-2019-0708, which impacts older operating systems, is a wormable flaw that sends a specifically crafted request to the Remote Desktop Service of a system the attacker is targeting. The malicious request is completed during a pre-authentication check and therefore does not require any user interaction in order to be exploited. Microsoft has stated that systems above Windows 8.1 or 10 are vulnerable to this type of attack.
The recommended procedure for both vulnerabilities is to review them through your organization's patch process and make a decision on whether it is necessary to deploy urgently or through the standard patch window.
Qualys QID 91529 and Tenable Plugin ID detect both CVE-2019-0708 and CVE-2019-0863. At present both checks require authentication.
If you are Vulnerability Management customer with deepwatch, your vulnerability management SME will communicate with you in regards to which assets are considered vulnerable to you in your environment.
Patching is the only option for CVE-2019-0863, as there are no current workarounds for this particular vulnerability.
Organizations should ensure that they have full list of asset inventory and review the list of older operating systems and confirm they are still actively needed within the organization in order to further mitigate existing and future unpatched vulnerabilities to these assets.
Dave Farquhar, Vulnerability Management Subject Matter Expert