CVE-2019-0708 - error in windows 2012

When I scan a windows 2012 server (connetion broker in RD web services) I receive the error linked to this error, with value 10.
the server is patched, with the last monthly rollup and if I read the bulletin I don’t find windows 2012 as affected system.
Can it be a false positive?

Thanks a lot

Massimo

Hi Max. Sure it can. To figure this out one needs the following info:

Which NVTs found this CVE?
The name and OID is found under “Detection Method” in the Result Preview
Web-GUI > Reports > Date of the Report > Name of the vulnerability

What data found the NVT to conclude the result?
The data is found under " Detection Result" in the very same Result Preview

If this doesn’t help you determining if its a false positive, post it here, maybe the community can help.

1 Like

Hi Tino, thanks a lot for your reply.

Which NVTs found this CVE?
Sends a specially crafted request to the target systemsRemote Desktop Service via RDP and checks the response.
Microsoft Windows Remote Desktop Services ‘CVE-2019-0708’ Remote Code …OID: 1.3.6.1.4.1.25623.1.0.108611
Version used: 2019-08-08T11:55:19Z
What data found the NVT to conclude the result?
By sending a crafted request the RDP service answered with a ‘MCS Disconnect Provider Ultimatum PDU - 2.2.2.3’ response which indicates that a RCE attack can be executed.

The server is patched to last Microsoft updates. Windows 2012 is not listed in operative systems affected by the bug, but I understand that my configuration is not common (session host and connection brokker in Remote Desktop web services) and I’m not sure if it’s a false positive or not

It seems to me as if it looks for the VT as if the host is vulnerable to Bluekeep because of it’s specific setup as RD web services connection broker.
I suggest creating an override specific for this VT and host and (if not done already) add a credentials to the scan, so that the other VTs for this vulnerability can be executed with authentication to this host.

1 Like

Tino, after replying to your message, I sent an email to the Microsoft Security Center too, because I thought that the vulnerability could be true, linked to roles of session host or connection broker in RD web services.
Later I’ll try to do a new scan adding credentials, as you say, and I’ll update this case.
Thanks again

Hey Max did you manage to find out why you got the above alert ? was it indeed a false positive ?