In the May 2019 Patch Tuesday release, Microsoft disclosed a remote code execution vulnerability (CVE-2019-0708) exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability only exists in older Windows operating systems (Windows XP, Vista, 7, Server 2003, Server 2008, Server 2008R2). An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The cyber industry has named this vulnerability BlueKeep. Microsoft has released patches for this vulnerability but has also warned that the BlueKeep flaw is “wormable”, similar to EternalBlue’s exploit of the Microsoft SMB protocol vulnerability (CVE-2017-0144), meaning that malware can use this vulnerability to spread from system to system by itself without a controller or user intervention.
| Vulnerability Type | Remote Desktop Services Remote Code Execution Vulnerability |
| Vulnerability Affects | Microsoft Windows 7 for 32-bit Systems SP1 Microsoft Windows 7 for x64-based Systems SP1 Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 Microsoft Windows Server 2008 R2 for x64-based Systems SP1 Microsoft Windows Server 2008 for 32-bit Systems SP2 Microsoft Windows Server 2008 for Itanium-based Systems SP2 Microsoft Windows Server 2008 for x64-based Systems SP2 |
| Details | A remote code execution vulnerability exists in Remote Desktop Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. |
PATCH:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
MITIGATION?
The following mitigation may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave Remote Desktop Services disabled:
Disable Remote Desktop Services if they are not required. If you no longer need these services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.
WORKAROUNDS?
The following workarounds may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave these workarounds in place:
- Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2. You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.
#vulnerability #bluekeep #explained #microsoft