contact us

BlueKeep (CVE-2019-0708): From Rumor to Reality

by Sep 6, 2019

BlueKeep (CVE-2019-0708): From Rumor to Reality

Microsoft Windows Remote Desktop Protocol (RDP) is a built-in service that facilitates logging into the Windows GUI of another computer over the network, by default on TCP port 3389.

On 14 May 2019, the public’s attention was drawn toward patching the dangerous use-after-free remote code execution RDP vulnerability known as BlueKeep[1](CVE-2019-0708). On 21 May 2019, RiskSense released the first open-source scanner for the vulnerability[2], allowing system administrators to easily assess their networks. On 01 June 2019, RiskSense created a working BlueKeep exploit. On 31 July 2019, RiskSense knowledge transferred details of the exploit to Rapid7’s Metasploit team. Today, 06 September 2019, the Metasploit team announced the public release of the exploit module.[3]

BlueKeep is a wormable vulnerability, meaning an exploit can be spammed to infect hundreds of thousands of machines currently unpatched on the open internet. BlueKeep is considered by Microsoft to be trivial to exploit, aided by the wealth of knowledge surrounding Windows exploitation that has been written in recent years. The number of vulnerable machines on internal networks, behind router NAT, is possibly in the millions. These Windows updates are so important that even end-of-life versions of the operating system, such as XP and Vista, received emergency patches.

The typical features of successful wormable vulnerability exploits include decent reliability, no user interaction, and a default network service. Many remote code execution (RCE) vulnerabilities do not meet the requirements of a wormable vulnerability due to not satisfying one or more of these criteria. Famous worms of the past include Code Red targeting IIS with MS01-033[4], SQL Slammer targeting SQL Server with MS02-039[5], Conficker targeting SMB with MS08-067[6], and WannaCry/NotPetya targeting SMB with MS17-010[7].

System administrators must actively review their internal and external network assets for the BlueKeep vulnerability due to the ease of exploitation and its prevalence.

[1]https://en.wikipedia.org/wiki/BlueKeep

[2]https://github.com/zerosum0x0/CVE-2019-0708

[3]https://blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/amp/?__twitter_impression=true

[4]https://en.wikipedia.org/wiki/Code_Red_(computer_worm)

[5]https://en.wikipedia.org/wiki/SQL_Slammer

[6]https://en.wikipedia.org/wiki/Conficker

[7]https://en.wikipedia.org/wiki/WannaCry_ransomware_attack