Other official information and services: www.belgium.be

Bluekeep: Windows RDP Remote Code Execution Vulnerability

Reference:

Advisory #2019-013

Version:

2.0

Affected software:

Windows 7

Windows 2008 & 2008 R2

Windows XP

Windows 2003

All supported versions of Windows 10, including server versions

Type:

Remote Code Execution

CVE/CVSS:

CVE-2019-0708, CVE-2019-118, CVE-2019-11821, CVE-2019-1222, CVE-2019-1226 - CVE Score: 9.8

Date:

15/05/2019

Sources

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1222
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1226

Risks

This RDP vulnerability has been dubbed "Bluekeep". There is now a proof-of-concept code available. This increases the risk of exploitation of the vulnerability. CERT.be recommends immediate patching.

Complete compromise of system availability, confidentiality of system data, and/or system integrity, with a strong possibility of compromised systems becoming part of a wider attack vector similar to what was seen in 2017 in the case of Wannacry.

Description

An unauthenticated attacker can remotely execute run arbitrary code via maliciously crafted input leading to exploitation of vulnerabilities in Microsoft Windows RDP service. The fact that Microsoft has chosen to provide patches for Windows 2003 and Windows XP demonstrates how critical this vulnerability is and the urgency of system administrators applying the necessary patches.

Newer versions of Windows (starting from Windows 8 and Server 2012) are not impacted.

Update 14/08/2019: All versions of Microsoft Windows except XP and 2003 are impacted for the following CVE’s:

• CVE-2019-1181

• CVE-2019-1182

• CVE-2019-1222

• CVE-2019-122

Recommended Actions

CERT.be recommends administrators to update their Microsoft Windows systems with the latest available patches as soon as possible:

CVE-2019-0708 for Windows 7 & Server 2008(R2): https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
CVE-2019-0708 for Windows XP & 2003: https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708

Update 14/08/2019:

CVE-2019-1181 & CVE-2019-1182 for all Windows versions except XP and 2003: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181
CVE-2019-1222 & CVE-2019-1226 for all Windows versions except XP and 2003: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1222

If the patching cannot be done immediately, you can apply several mitigations:

Disable RDP if not used (best practice).
Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2. This would require an attacker to compromise a valid system account in order to exploit these vulnerabilities.
Blocking TCP port 3389 at the enterprise perimeter firewall will mitigate remote exploitation. (Note that this provides no mitigation for exploitation from within the enterprise network.)
Configure host-based firewall policies to constrain RDP connections to a limited set of IP addresses to allow only system administrators to connect.