Bluekeep: Windows RDP Remote Code Execution Vulnerability V2
CVE-2019-0708, CVE-2019-118, CVE-2019-11821, CVE-2019-1222, CVE-2019-1226 - CVE Score: 9.8
This RDP vulnerability has been dubbed "Bluekeep". There is now a proof-of-concept code available. This increases the risk of exploitation of the vulnerability. CERT.be recommends immediate patching.
Complete compromise of system availability, confidentiality of system data, and/or system integrity, with a strong possibility of compromised systems becoming part of a wider attack vector similar to what was seen in 2017 in the case of Wannacry.
An unauthenticated attacker can remotely execute run arbitrary code via maliciously crafted input leading to exploitation of vulnerabilities in Microsoft Windows RDP service. The fact that Microsoft has chosen to provide patches for Windows 2003 and Windows XP demonstrates how critical this vulnerability is and the urgency of system administrators applying the necessary patches.
Newer versions of Windows (starting from Windows 8 and Server 2012) are not impacted.
Update 14/08/2019: All versions of Microsoft Windows except XP and 2003 are impacted for the following CVE’s:
CERT.be recommends administrators to update their Microsoft Windows systems with the latest available patches as soon as possible:
- CVE-2019-0708 for Windows 7 & Server 2008(R2): https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
- CVE-2019-0708 for Windows XP & 2003: https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708
- CVE-2019-1181 & CVE-2019-1182 for all Windows versions except XP and 2003: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181
- CVE-2019-1222 & CVE-2019-1226 for all Windows versions except XP and 2003: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1222
If the patching cannot be done immediately, you can apply several mitigations:
- Disable RDP if not used (best practice).
- Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2. This would require an attacker to compromise a valid system account in order to exploit these vulnerabilities.
- Blocking TCP port 3389 at the enterprise perimeter firewall will mitigate remote exploitation. (Note that this provides no mitigation for exploitation from within the enterprise network.)
- Configure host-based firewall policies to constrain RDP connections to a limited set of IP addresses to allow only system administrators to connect.