CVE-2019-1224
published 2019-08-14CVE-2019-1224: An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully…
PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
7.60%
93.8th percentile
An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the system.
To exploit this vulnerability, an attacker would have to connect remotely to an affected system and run a specially crafted application.
The security update addresses the vulnerability by correcting how the Windows RDP server initializes memory.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10_version_1803 | >= 10.0.0 < publication | publication |
| microsoft | windows_10_version_1809 | >= 10.0.0 < publication | publication |
| microsoft | windows_10_version_1903_for_32-bit_systems | >= 10.0.0 < publication | publication |
| microsoft | windows_10_version_1903_for_arm64-based_systems | >= 10.0.0 < publication | publication |
| microsoft | windows_10_version_1903_for_x64-based_systems | >= 10.0.0 < publication | publication |
| microsoft | windows_10_version_1909 | >= 10.0.0 < publication | publication |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2019 | >= 10.0.0 < publication | publication |
| msrc | windows_10_version_1803_for_32-bit_systems | — | — |
| msrc | windows_10_version_1803_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1803_for_x64-based_systems | — | — |
| msrc | windows_10_version_1809_for_32-bit_systems | — | — |
| msrc | windows_10_version_1809_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1809_for_x64-based_systems | — | — |
| msrc | windows_10_version_1903_for_32-bit_systems | — | — |
| msrc | windows_10_version_1903_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1903_for_x64-based_systems | — | — |
| msrc | windows_10_version_1909_for_32-bit_systems | — | — |
| msrc | windows_10_version_1909_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1909_for_x64-based_systems | — | — |
| msrc | windows_server_2019 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated or anomalous RDP connections to TCP/3389, particularly from external sources, which may indicate exploitation attempts against the Windows RDP server memory disclosure vulnerability. ↗
- →Enable Network Level Authentication (NLA) and alert on RDP authentication attempts that bypass NLA, as NLA requires valid credentials before the vulnerable RDP server memory handling is reached. ↗
- →The disclosed information type is uninitialized memory — look for RDP sessions followed by rapid lateral movement or privilege escalation, consistent with using leaked memory contents to further compromise the system. ↗
- ·Exploitation is rated 'More Likely' for both latest and older software releases despite no known public exploit at time of advisory — patch priority should be treated as high. ↗
- ·Blocking TCP/3389 at the perimeter does not protect against attacks originating from inside the enterprise network. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4522-qq94-2q92: An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory, aka 'Remote Desktop Protoc
ghsa_unreviewed·2022-05-24·CVSS 7.5
CVE-2019-1225 [HIGH] CWE-200 GHSA-4522-qq94-2q92: An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory, aka 'Remote Desktop Protoc
An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory, aka 'Remote Desktop Protocol Server Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1224.
GHSA
GHSA-36vx-qm6w-f394: An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory, aka 'Remote Desktop Protoc
ghsa_unreviewed·2022-05-24·CVSS 7.5
CVE-2019-1224 [HIGH] CWE-200 GHSA-36vx-qm6w-f394: An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory, aka 'Remote Desktop Protoc
An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory, aka 'Remote Desktop Protocol Server Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1225.
VulnCheck
Microsoft Windows Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2019·CVSS 7.5
CVE-2019-1224 [HIGH] Microsoft Windows Exposure of Sensitive Information to an Unauthorized Actor
Microsoft Windows Exposure of Sensitive Information to an Unauthorized Actor
An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the system.
To exploit this vulnerability, an attacker would have to connect remotely to an affected system and run a specially crafted application.
The security update addresses the vulnerability by correcting how the Windows RDP server initializes memory.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitati
Microsoft
Remote Desktop Protocol Server Information Disclosure Vulnerability
vendor_msrc·2019-08-13·CVSS 7.5
CVE-2019-1224 [HIGH] Remote Desktop Protocol Server Information Disclosure Vulnerability
Remote Desktop Protocol Server Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the system.
To exploit this vulnerability, an attacker would have to connect remotely to an affected system and run a specially crafted application.
The security update addresses the vulnerability by correcting how the Windows RDP server initializes memory.
FAQ: What type of information could be disclosed by this vulnerability?
The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.
Windows RDP: Windows RDP
M
No detection rules found.
No public exploits indexed.
Sentinelone
Egregor
blogs_sentinelone·2022-11-30
Egregor
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Qualys
August 2019 Patch Tuesday – 93 Vulns, 29 Critical, 7 Remote Desktop Vulns, Hyper-V, DHCP, Adobe vulns
blogs_qualys·2019-08-13·CVSS 9.8
[CRITICAL] August 2019 Patch Tuesday – 93 Vulns, 29 Critical, 7 Remote Desktop Vulns, Hyper-V, DHCP, Adobe vulns
Update Aug 13, 2019 : Detect and Patch Windows Remote Desktop Vulnerabilities
This month’s Microsoft Patch Tuesday addresses 93 vulnerabilities with 29 of them labeled as Critical. Of the 29 Critical vulns, 10 are for scripting engines and browsers, 6 for Windows Graphics/Font Library, and 4 are for Office apps. In addition, Microsoft has patched 4 (!) Critical RCEs in Remote Desktop (plus 3 Important), 2 for Hyper-V, 2 in DHCP Client/Server, and one for LNK files. Adobe has also released a large number of patches covering multiple products.
## Workstation Patches
Scripting Engine, Browser, Office, Graphics/Font, and LNK patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user
Talos
Microsoft Patch Tuesday — Aug. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-08-13·CVSS 9.1
[CRITICAL] Microsoft Patch Tuesday — Aug. 2019: Vulnerability disclosures and Snort coverage
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 97 vulnerabilities, 31 of which are rated “critical," 65 that are considered "important" and one "moderate."
This month’s security update covers security issues in a variety of Microsoft services and software, including certain graphics components, Outlook and the Chakra Scripting Engine. For more on our coverage of these bugs, check out our Snort advisories here, covering all of the new rules we have for this release.
### Critical vulnerabilities Microsoft disclosed 31 critical vulnerabilities this month, three of which we will highlight below.
CVE-2019-1181 and CVE-2019-1182 are both remote code execution vulnerabilities in Remote De
Tenable
Tenable Roundup for Microsoft’s August 2019 Patch Tuesday: DejaBlue
blogs_tenable·2019-08-13
Tenable Roundup for Microsoft’s August 2019 Patch Tuesday: DejaBlue
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Windows Remote Desktop Vulnerabilities (Seven Monkeys) – How to Detect and Patch
blogs_qualys·2019-08-13·CVSS 9.8
[CRITICAL] Windows Remote Desktop Vulnerabilities (Seven Monkeys) – How to Detect and Patch
## Table of Contents
Authenticated check:
Remediating with Qualys Patch Management:
Patch Links:
Mitigation:
Workarounds:
Resources:
In the August 2019 Patch Tuesday release, Microsoft disclosed 7 RDP Vulnerabilities, out of which 4 are labeled as critical and 3 as important. All the critical vulnerabilities exist in Remote Desktop Services – formerly known as Terminal Services – and do not require authentication or user interaction. To exploit the vulnerabilities, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
The cyber industry has named them as Seven Monkeys pertaining to seven CVEs released. Microsoft has released patches for these vulnerabilities and at least two of these (CVE-2019-1181 & CVE-2019-1182) can be c
Talos
Microsoft Patch Tuesday — Aug. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-08-13·CVSS 9.8
[CRITICAL] Microsoft Patch Tuesday — Aug. 2019: Vulnerability disclosures and Snort coverage
## Microsoft Patch Tuesday — Aug. 2019: Vulnerability disclosures and Snort coverage
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 97 vulnerabilities, 31 of which are rated “critical," 65 that are considered "important" and one "moderate."
This month’s security update covers security issues in a variety of Microsoft services and software, including certain graphics components, Outlook and the Chakra Scripting Engine. For more on our coverage of these bugs, check out our Snort advisories here , covering all of the new rules we have for this release.
## Critical vulnerabilities Microsoft disclosed 31 critical vulnerabilities this month, three of which we will highlight below.
CVE-2
Qualys
August 2019 Patch Tuesday - 93 Vulns, 29 Critical, 7 Remote Desktop Vulns, Hyper-V, DHCP, Adobe vulns | Qualys
blogs_qualys·2019-08-13·CVSS 9.8
[CRITICAL] August 2019 Patch Tuesday - 93 Vulns, 29 Critical, 7 Remote Desktop Vulns, Hyper-V, DHCP, Adobe vulns | Qualys
Update Aug 13, 2019: Detect and Patch Windows Remote Desktop Vulnerabilities
This month’s Microsoft Patch Tuesday addresses 93 vulnerabilities with 29 of them labeled as Critical. Of the 29 Critical vulns, 10 are for scripting engines and browsers, 6 for Windows Graphics/Font Library, and 4 are for Office apps. In addition, Microsoft has patched 4 (!) Critical RCEs in Remote Desktop (plus 3 Important), 2 for Hyper-V, 2 in DHCP Client/Server, and one for LNK files. Adobe has also released a large number of patches covering multiple products.
### Workstation Patches
Scripting Engine, Browser, Office, Graphics/Font, and LNK patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user
Qualys
Windows Remote Desktop Vulnerabilities (Seven Monkeys) – How to Detect and Patch | Qualys
blogs_qualys·2019-08-13·CVSS 9.8
[CRITICAL] Windows Remote Desktop Vulnerabilities (Seven Monkeys) – How to Detect and Patch | Qualys
#### Table of Contents
- Authenticated check:
- Remediating with Qualys Patch Management:
- Patch Links:
- Mitigation:
- Workarounds:
- Resources:
In the August 2019 Patch Tuesday release, Microsoft disclosed 7 RDP Vulnerabilities, out of which 4 are labeled as critical and 3 as important. All the critical vulnerabilities exist in Remote Desktop Services – formerly known as Terminal Services – and do not require authentication or user interaction. To exploit the vulnerabilities, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
The cyber industry has named them as Seven Monkeys pertaining to seven CVEs released. Microsoft has released patches for these vulnerabilities and at least two of these (CVE-2019-1181 & CVE-2019-1182)
Sentinelone
Egregor
blogs_sentinelone
Egregor
# Egregor Ransomware: In-Depth Analysis, Detection, and Mitigation
## What Is Egregor Ransomware?
Egregor ransomware is part of the Sekhmet malware family that has been active since mid-September 2020. The ransomware operates by hacking into organizations, stealing sensitive user documents, encrypting data, and demanding a ransom to exchange encrypted documents. The Egregor ransomware has been used in several attacks against large organizations, including the French media company Le Monde and the Canadian government.
## What Does Egregor Ransomware Target?
Egregor ransomware targets organizations across all industries, with focus on healthcare, education, financial services, manufacturing and retail industries. Egregor is known to heavily target school districts and higher education in
Zscaler
Zscaler found Multiple Security Vulnerabilities | 08-14-2019
blogs_zscaler·CVSS 4.2
[MEDIUM] Zscaler found Multiple Security Vulnerabilities | 08-14-2019
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bugzilla
CVE-2019-20800 cherokee: out-of-bounds write in cherokee_handler_cgi_add_env_pair function in handler_cgi.c
bugzilla·2020-05-25·CVSS 9.8
CVE-2019-20800 [CRITICAL] CVE-2019-20800 cherokee: out-of-bounds write in cherokee_handler_cgi_add_env_pair function in handler_cgi.c
CVE-2019-20800 cherokee: out-of-bounds write in cherokee_handler_cgi_add_env_pair function in handler_cgi.c
In Cherokee through 1.2.104, remote attackers can trigger an out-of-bounds write in cherokee_handler_cgi_add_env_pair in handler_cgi.c by sending many request headers, as demonstrated by a GET request with many "Host: 127.0.0.1" headers.
References:
https://github.com/cherokee/webserver/issues/1224
https://logicaltrust.net/blog/2019/11/cherokee.html
Discussion:
Created cherokee tracking bugs for this issue:
Affects: epel-6 [bug 1839858]
Affects: fedora-all [bug 1839857]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those indi
2019-08-14
Published
Exploited in the wild