BlueKeep Windows Remote Desktop Services RCE Vulnerability

Microsoft has released updates to fix a critical remote code execution (RCE) vulnerability, known as BlueKeep, that affects Remote Desktop Services in some versions of Windows.

Threat ID:: CC-3057
Category:: Exploit
Threat Severity:: High
Threat Vector:
Published:: 15 May 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Microsoft has released updates to fix a critical remote code execution (RCE) vulnerability, known as BlueKeep, that affects Remote Desktop Services in some versions of Windows.

Affected platforms

The following platforms are known to be affected:

Windows 7

Microsoft Windows - Versions XP to 7

Microsoft Windows Server - Versions 2003 to 2008 R2

Microsoft Windows

Microsoft Windows Server

Threat details

To exploit the vulnerability an attacker would connect to a device using Remote Desktop Protocol (RDP) and send specially crafted requests. This vulnerability could be exploited by a worm as no authentication or user interaction is required.

An attacker who successfully exploited this vulnerability could execute arbitrary code on the affected system; view, change, or delete data; or create new accounts with full user rights.

For further information:

Update 25 Jul 2019

Immunity, a cybersecurity research firm, have announced that the latest version of their CANVAS penetration testing toolkit include a BlueKeep exploitation module. This marks the first time that such a module has been made commercially available.

Threat updates

Date	Update
25 Jul 2019	Immunity, a cybersecurity research firm, have announced that the latest version of their CANVAS penetration testing toolkit include a BlueKeep exploitation module. This marks the first time that such a module has been made commercially available.

Remediation steps

Type	Step
	Users and administrators are encouraged to review the following Microsoft update advisories and apply the necessary updates. The updates address the vulnerability by correcting how Remote Desktop Services handles connection requests. Microsoft Security Advisory CVE-2019-0708 Microsoft Support Article KB4500705 Microsoft Security Response Center blog Microsoft has provided advice for administrators on alternative mitigation and workarounds. Microsoft recommends that updates are still installed as soon as possible even if any of these steps are taken: Disabling Remote Desktop Services mitigates this vulnerability. Enabling Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 stops unauthenticated attackers from exploiting this vulnerability. If an attacker can authenticate to Remote Desktop Services then an exploit is still possible. If RDP is not used, then blocking TCP port 3389 at the perimeter firewall can prevent attacks that originate outside the enterprise perimeter. Systems could still be vulnerable to attacks from within the perimeter. Additionally, administrators can consider the following steps to help prevent and detect attacks using RDP: Only allow point-to-point connections from specific IP addresses where feasible. Ensure Transport Layer Security (TLS) is up-to-date. Log and monitor all RDP activity and investigate unusual behaviour. Consider only allowing RDP for authorised virtual private network (VPN) connections. Update 20 May 2019 Microsoft has released additional updates to address an issue with some of the above patches where Internet Explorer 11 and Microsoft Edge could have been prevented from accessing .gov.uk websites that do not support HTTP Strict Transport Security (HSTS). Users and administrators are encouraged to review the following Windows Knowledge Base articles and apply the relevant additional updates: KB4505050 - Internet Explorer 11 KB4505056 - Windows 10 version 1809 and Windows Server 2019 KB4505064 - Windows 10 version 1803 KB4505062 - Windows 10 version 1709 KB4505055 - Windows 10 version 1703 KB4505052 - Windows 10 version 1607 and Windows Server 2016 Update 28 May 2019 Microsoft has released updated patches via Microsoft Monitoring Agent (MMA) to address the installation issues experienced by some organisations using 3rd party anti-virus products. Users and adminstrators are encouraged to review the following guidance and apply the updates immediately: Confirm MsSenseS.exe is version 10.3720.16299.1030 Install the latest roll-up and confirm success. Push the patch out via your usual patching mechanism. Update 10 Jun 2019 Microsoft has released further information to address partial installation issues some organisations are experiencing. Check the Windows ATP build number using the following command: reg query "HKLM\Software\Microsoft\Windows Advanced Threat Protection\status\” Examine the output for the string 3346346 (please note the output may vary slightly between Window operating system versions)) as follows: ConfigurationVersion REG_SZ 3720.3346346.3327927 Reboot the affected device Apply the May 2019 update package. Reboot the affected device once more. They have also recommended restarting the "HealthService" service should the update not apply.

Type

Step

Users and administrators are encouraged to review the following Microsoft update advisories and apply the necessary updates. The updates address the vulnerability by correcting how Remote Desktop Services handles connection requests.

Microsoft has provided advice for administrators on alternative mitigation and workarounds. Microsoft recommends that updates are still installed as soon as possible even if any of these steps are taken:

Disabling Remote Desktop Services mitigates this vulnerability.
Enabling Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 stops unauthenticated attackers from exploiting this vulnerability. If an attacker can authenticate to Remote Desktop Services then an exploit is still possible.
If RDP is not used, then blocking TCP port 3389 at the perimeter firewall can prevent attacks that originate outside the enterprise perimeter. Systems could still be vulnerable to attacks from within the perimeter.

Additionally, administrators can consider the following steps to help prevent and detect attacks using RDP:

Only allow point-to-point connections from specific IP addresses where feasible.
Ensure Transport Layer Security (TLS) is up-to-date.
Log and monitor all RDP activity and investigate unusual behaviour.
Consider only allowing RDP for authorised virtual private network (VPN) connections.

Update 20 May 2019

Microsoft has released additional updates to address an issue with some of the above patches where Internet Explorer 11 and Microsoft Edge could have been prevented from accessing .gov.uk websites that do not support HTTP Strict Transport Security (HSTS). Users and administrators are encouraged to review the following Windows Knowledge Base articles and apply the relevant additional updates:

KB4505050 - Internet Explorer 11
KB4505056 - Windows 10 version 1809 and Windows Server 2019
KB4505064 - Windows 10 version 1803
KB4505062 - Windows 10 version 1709
KB4505055 - Windows 10 version 1703
KB4505052 - Windows 10 version 1607 and Windows Server 2016

Update 28 May 2019

Microsoft has released updated patches via Microsoft Monitoring Agent (MMA) to address the installation issues experienced by some organisations using 3rd party anti-virus products. Users and adminstrators are encouraged to review the following guidance and apply the updates immediately:

Confirm MsSenseS.exe is version 10.3720.16299.1030
Install the latest roll-up and confirm success.
Push the patch out via your usual patching mechanism.

Update 10 Jun 2019

Microsoft has released further information to address partial installation issues some organisations are experiencing.

Check the Windows ATP build number using the following command: reg query "HKLM\Software\Microsoft\Windows Advanced Threat Protection\status\”
Examine the output for the string 3346346 (please note the output may vary slightly between Window operating system versions)) as follows: ConfigurationVersion REG_SZ 3720.3346346.3327927
Reboot the affected device
Apply the May 2019 update package.
Reboot the affected device once more.

They have also recommended restarting the "HealthService" service should the update not apply.

CVE Vulnerabilities

Status

CVE-2019-0708

Last edited: 14 February 2020 2:44 pm