Executive Summary

CVE-2019-0708, commonly known as BlueKeep, is a critical remote code execution vulnerability in Microsoft's Remote Desktop Services (RDS), formerly known as Terminal Services. This vulnerability allows an unauthenticated attacker to connect to the target system using Remote Desktop Protocol (RDP) and send specially crafted requests, leading to arbitrary code execution. BlueKeep has been actively exploited in the wild, posing significant risks to various sectors, including healthcare, finance, and government institutions across multiple countries. Immediate action is required to patch affected systems and implement additional security measures to mitigate the risk of exploitation.

Technical Information

CVE-2019-0708 was published on May 14, 2019, and has a CVSS v3.1 Base Score of 9.8, categorizing it as a critical vulnerability. The vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that it can be exploited remotely without any user interaction. The affected systems include Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows XP.

BlueKeep is a pre-authentication vulnerability, meaning it can be exploited without any user interaction. The vulnerability exists due to improper handling of RDP requests by Remote Desktop Services. An attacker who successfully exploits this vulnerability can execute arbitrary code on the target system, potentially leading to full system compromise. The exploit involves sending specially crafted RDP requests to the target system, which then allows the attacker to write data into the kernel, leading to arbitrary code execution.

The severity of BlueKeep is underscored by its potential for widespread disruption. The vulnerability can be used to create a wormable exploit, similar to the WannaCry ransomware attack, which could propagate itself across vulnerable systems without any user intervention. This makes it imperative for organizations to take immediate action to secure their systems.

Exploitation in the Wild

BlueKeep has been actively exploited in the wild. Notable incidents include the Unit 42 Report on the exploitation of Windows CVE-2019-0708, which detailed three ways to write data into the kernel with RDP PDU, highlighting the severity and exploitability of this vulnerability (Unit 42 Report: https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/). Additionally, a proof-of-concept (POC) exploit for BlueKeep was published on GitHub, demonstrating the vulnerability's potential for widespread disruption (GitHub POC: https://github.com/RICSecLab/CVE-2019-0708).

APT Groups using this vulnerability

Several Advanced Persistent Threat (APT) groups have been observed exploiting BlueKeep. These groups primarily target sectors such as healthcare, finance, and government institutions across multiple countries. The exploitation by these APT groups underscores the critical nature of this vulnerability and the need for immediate remediation.

Affected Product Versions

The affected product versions include Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows XP. It is crucial for organizations using these systems to apply the necessary patches and implement additional security measures to mitigate the risk of exploitation.

Workaround and Mitigation

To mitigate the risk of BlueKeep exploitation, organizations should take the following steps:

Apply Patches: Microsoft has released patches for all affected systems, including end-of-life versions like Windows XP and Windows Server 2003. Ensure all systems are updated with the latest security patches.

Disable RDP: If RDP is not required, disable it to reduce the attack surface.

Network Level Authentication (NLA): Enable NLA to add an additional layer of authentication before establishing an RDP session.

Firewall Rules: Implement firewall rules to restrict RDP access to trusted IP addresses only.

References

For further information and updates, refer to the following official advisories and reports:

NVD: CVE-2019-0708 Detail - NVD (https://nvd.nist.gov/vuln/detail/cve-2019-0708)

Microsoft Security Advisory: Customer guidance for CVE-2019-0708 (https://support.microsoft.com/en-us/topic/customer-guidance-for-cve-2019-0708-remote-desktop-services-remote-code-execution-vulnerability-may-14-2019-0624e35b-5f5d-6da7-632c-27066a79262e)

Rapid7: Microsoft CVE-2019-0708: Remote Desktop Services (https://www.rapid7.com/db/vulnerabilities/msft-cve-2019-0708/)

Wikipedia: BlueKeep - Wikipedia (https://en.wikipedia.org/wiki/BlueKeep)

Packet Storm Security: Multiple exploits and denial-of-service scripts for BlueKeep (http://packetstormsecurity.com/files/153133/Microsoft-Windows-Remote-Desktop-BlueKeep-Denial-Of-Service.html)

GitHub: Various POCs and exploit scripts (https://github.com/0xeb-bp/bluekeep, https://github.com/Apasys/Nephael-CVE-2019-0708-Exploit, https://github.com/Cyb0r9/ispy)

Rescana is here for you

At Rescana, we understand the critical nature of vulnerabilities like BlueKeep and the importance of timely and effective mitigation. Our Continuous Threat and Exposure Management (CTEM) platform helps organizations identify, assess, and remediate vulnerabilities in real-time, ensuring that your systems remain secure against emerging threats. If you have any questions about this report or any other issue, please feel free to contact us at ops@rescana.com.