Attacker Value
Very High
(7 users assessed)
Exploitability
Moderate
(7 users assessed)
User Interaction
Required
Privileges Required
Low
Attack Vector
Network
3

DejaBlue, RDP Heap Overflow

Disclosure Date: August 14, 2019
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A remote code execution vulnerability exists in Microsoft Dynamics 365 for Finance and Operations (on-premises) version 10.0.11. An attacker who successfully exploited this vulnerability could gain remote code execution via server-side script execution on the victim server.
An authenticated attacker with privileges to import and export data could exploit this vulnerability by sending a specially crafted file to a vulnerable Dynamics server.
The security update addresses the vulnerability by correcting how Microsoft Dynamics 365 for Finance and Operations (on-premises) version 10.0.11 handles user input.

Add Assessment

4
Ratings
  • Attacker Value
    Very High
Technical Analysis

Affects every version of Windows from Windows 7 to Windows 10. A DVC, or Dynamic Virtual Channel, packet needs to be sent with a specially-crafted uncompressed field field value larger than an integer, causing an overflow, according to MalwareTech’s writeup here: https://www.malwaretech.com/2019/08/dejablue-analyzing-a-rdp-heap-overflow.html

4
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Technical Analysis

This vulnerability was discovered while researchers audited the RDP code from the previous vulnerability, Bluekeep. This vulnerability is likely going to be worse than Bluekeep, as it targets more modern operating systems. The saving grace with Dejablue, as with Bluekeep and even Eternalblue is the complexity of turning the vulnerability into a reliable exploit, as the attacker must successfully trigger the vulnerability, write to kernel memory and to user memory, then execute the code in kernel memory to locate and execute the code in user memory. Without question this is in the ability of nation states and probably even organized crime, but until a public version is released, this will be treated as a zero day by those attackers that posses it. I would be surprised to see a public version of this that works reliably across Windows kernel 10 releases for at least another six to eight weeks (October 2019).

3
Ratings
  • Attacker Value
    Very High
3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Low
CVSS V3 Severity and Metrics
Base Score:
7.3 High
Impact Score:
5.2
Exploitability Score:
2.1
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
None

General Information

Vendors

  • microsoft

Products

  • dynamics 365 for finance and operations 10.0.11
Technical Analysis