Microsoft Remote Desktop Services (RDP) Remote Code Execution Vulnerability – CVE-2019-0708

Introduction:

Microsoft has released fixes for a very high-risk vulnerability (CVE-2019-0708, aka BlueKeep) in this Patch Tuesday that impacts Windows XP, Windows 7, Server 2003, Server 2008, and Server 2008 R2. A critical remote code execution vulnerability exists in the Microsoft Windows systems running Remote Desktop Protocol (RDP). Upon successful exploitation an attacker can gain code execution on the vulnerable systems.
Customers running Windows 8 and Windows 10 are not affected by this vulnerability.

Vulnerability:

The vulnerability exists because RDP service component improperly processes incoming requests. Due to which, an attacker could execute arbitrary code on the targeted system.

Microsoft has also released further notification related to this vulnerability. It appears that the Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability does not require authentication and no user interaction, which means the attacker can be exploit this vulnerability in a similar fashion as the WannaCry worm.  The malware/attack can exploit this vulnerability to propagate from recently infected systems to infect more.

We are not seeing any increased activity on RDP till now.

Mitigation:

We request organizations to apply the latest patches from Microsoft to address CVE-2019-0708. Microsoft has also released security updates for unsupported but still widely-used Windows operating systems such as XP and Windows 2003. Qualys customers can scan using QID:91534 to detect vulnerable assets and refer this blog post for further information.

Customers are also advised to disable RDP service if they are not required or block TCP port 3389 or enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2.

We are continuing to investigate this and we would keep updating the blog. Please continue to follow Qualys Threat Protect for more information on vulnerabilities.

References & Sources:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/e5989c8b-7046-e911-a98e-000d3a33a34d

https://msrc-blog.microsoft.com/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708

https://blog.qualys.com/laws-of-vulnerabilities/2019/05/15/windows-rdp-remote-code-execution-vulnerability-bluekeep-how-to-detect-and-patch

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713(v=ws.11)

Leave a Reply

Your email address will not be published. Required fields are marked *