Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (BlueKeep)

 

Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (BlueKeep)

Alert Type:- Vulnerability

Severity:- High

 

Systems Affected

• Windows XP (all)
• Windows 2003 (all)
• Windows 7 for 32-bit Systems SP 1 and x64-based Systems SP 1
• Windows Server 2008 for 32-bit Systems SP 2 (Server Core installation also affected)
• Windows Server 2008 for Itanium-Based Systems SP 2
• Windows Server 2008 for x64-based Systems SP 2 (Server Core installation also affected)
• Windows Server 2008 R2 for Itanium-Based Systems SP 1
• Windows Server 2008 R2 for x64-based Systems SP 1 (Server Core installation also affected)

Overview

A vulnerability has been reported in Microsoft Windows Remote Desktop Services which could be exploited by a remote attacker to execute remote code on the targeted system.

Description

This vulnerability aka BlueKeep exists in the Microsoft Remote Desktop Services due to improper handling of connection requests. A remote unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target systems Remote Desktop Service via RDP. This vulnerability is pre-authentication and does not require any user interaction. Hence, this vulnerability could create a worm, which could lead to propagation of any future malware exploiting this vulnerability from one computer to another (Similar to Wannacry ransomware). Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code and compromise the target system completely.

Solution

Apply appropriate fix as mentioned in Microsoft Security Advisory

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Out of Support Windows OSes (Windows XP, Windows 2003): Apply appropriate patches to patch your OS (and strongly recommended to upgrade). Microsoft does not normally give patches for out-of-support OSes but made an exception because of the criticality of the vulnerability.

Vendor Information

Microsoft

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
• https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708

References:

Microsoft

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
• https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708
• https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

Cisco

• https ://tools.cisco.com/security/center/viewAlert.x?alertId=60195

Trend Micro

• https://success.trendmicro.com/solution/000132295-SECURITY-ALERT-Remote-Code-Execution-RCE-Vulnerability-in-Microsoft-Windows-Remote-Desktop-Services-CVE20190708

Krebson Security

• https://krebson security.com/tag/cve-2019-0708/

BleepingComputer

• https://www.bleepingcomputer.com/news/security/bluekeep-remote-desktop-exploits-are-coming-patch-now/

CVE Name

• CVE-2019 -0708