This Dashboard will enable you to get instant visibility on the Seven Monkeys Vulns (QID:91563) Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (RCE).
We all know how busy, and the amount of work as security professionals we encounter daily given its an ever-changing environment. That is where Qualys can provide the ability for quick dashboarding and views to key indicators to assist and prioritize your remediation work. #visualizedatanotcsvs #sevenmonkeys #AgentStackConsolidation
In the August 2019 Patch Tuesday release, Microsoft disclosed 7 RDP Vulnerabilities, out of which 4 are labeled as critical and 3 as important.
The cyber industry has named them as Seven Monkeys pertaining to seven CVEs released. Microsoft has released patches for these vulnerabilities and at least two of these (CVE-2019-1181&CVE-2019-1182) can be considered “wormable” and equates them to BlueKeep. Of the three “Important” RDP vulnerabilities, one (CVE-2019-1223) is a DoS, and the other two (CVE-2019-1224 and CVE-2019-1225) disclose memory contents. Microsoft update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.
What makes the SevenMonkeys Risky?
This vulnerability allows an unauthenticated attacker (or malware) to execute code on the vulnerable system. All the critical vulnerabilities exist in Remote Desktop Services – formerly known as Terminal Services – and do not require authentication or user interaction. To exploit the vulnerabilities, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
How to quickly detect and remediate all in one single solution? #AgentStackConsolidation
This QID is included in signature version VULNSIGS-2.4.675-4, and requires authenticated scanning or the Qualys Cloud Agent. Cloud Agents will automatically receive this new QID as part of manifest version 2.4.675-4.
The benefits of the Qualys Cloud Agent over Authenticated Scanning:
Qualys Cloud Agents brings the new age of continuous monitoring capabilities to your Vulnerability Management program. This eliminates the need for establishing scanning windows, managing credential manually or integrations with credential vaults for systems, as well as the need to actually know where a particular asset resides. "Consolidate your security stack with the Qualys Cloud Agent!" #AgentStackConsolidation
Qualys has issued a special QID (91563) for Qualys Vulnerability Management that covers all 7 CVEs across all impacted Operating Systems. This QID is included in signature version VULNSIGS-2.4.675-4, and requires authenticated scanning or the Qualys Cloud Agent. Cloud Agents will automatically receive this new QID as part of manifest version 2.4.675-4.
Dashboard Demonstration Images: New
Query to create WorkAround Widget:
Title: Workaround - QID:45379 - Network Level Authentication (NLA)
Query to create Mitigation Widget:
Title: VULN - CVE-2019-0708 & TERMService - NOT Running
Query: vulnerabilities.vulnerability.qid:91534 and not (services:(name:TermService and status:RUNNING) or vulnerabilities.vulnerability.qid: 45381)
Title: VULN - CVE-2019-0708 & TERMService - Running
Query: vulnerabilities.vulnerability.qid:91534 and (services:(name:TermService and status:RUNNING) or vulnerabilities.vulnerability.qid: 45381)
How to Enable Trending on the widgets:
Qualys - Training Videos:
POD - 1 - Apply Tags to Organize Your Assets
POD - 2 - Apply Tags to Organize Your Assets
POD - 3 - Apply Tags to Organize Your Assets
- Qualys Patch Management