BlueKeep-2 - all new versions of Windows are now vulnerable
The BlueKeep vulnerability (CVE-2019-0708) for older versions of Windows, aimed at implementing the RDP protocol, has not yet had time to make noise , as itโs time to put the patches again. Now all new versions of Windows are in the affected area. If we evaluate the potential threat from exploiting vulnerabilities by means of a direct attack from the Internet using the WannaCry method, then it is relevant for several hundred thousand hosts in the world and several tens of thousands of hosts in Russia.
Details and recommendations for protection under the cut.
Published RCE vulnerabilities in RDS Remote Desktop Services on Windows (CVE-2019-1181 / 1182), when successfully exploited, allow an unauthenticated attacker to remotely execute code on the attacked system.
To exploit the vulnerabilities, it is enough for the attacker to send a specially crafted request to the remote desktop service of the target systems using RDP (the RDP protocol itself is not vulnerable).
It is important to note that any malware that exploits this vulnerability could potentially spread from one vulnerable computer to another, similar to the spread of WannaCry malware around the world in 2017. For successful operation, you only need to have appropriate network access to a host or server with a vulnerable version of the Windows operating system, including if the system service is published on the perimeter.
Affected Windows OS Versions:
Recommended:
At the moment, there is no information about the presence of PoC / exploit / exploitation of these vulnerabilities, but we do not recommend delaying patches, often their appearance is a matter of several days.
Possible additional compensatory measures:
Details and recommendations for protection under the cut.
Published RCE vulnerabilities in RDS Remote Desktop Services on Windows (CVE-2019-1181 / 1182), when successfully exploited, allow an unauthenticated attacker to remotely execute code on the attacked system.
To exploit the vulnerabilities, it is enough for the attacker to send a specially crafted request to the remote desktop service of the target systems using RDP (the RDP protocol itself is not vulnerable).
It is important to note that any malware that exploits this vulnerability could potentially spread from one vulnerable computer to another, similar to the spread of WannaCry malware around the world in 2017. For successful operation, you only need to have appropriate network access to a host or server with a vulnerable version of the Windows operating system, including if the system service is published on the perimeter.
Affected Windows OS Versions:
- Windows 10 for 32-bit / x64-based
- Windows 10 Version 1607 for 32-bit / x64-based Systems
- Windows 10 Version 1703 for 32-bit / x64-based Systems
- Windows 10 Version 1709 for 32-bit / x64-based Systems
- Windows 10 Version 1709 for ARM64-based Systems
- Windows 10 Version 1803 for 32-bit / x64-based Systems
- Windows 10 Version 1803 for ARM64-based Systems
- Windows 10 Version 1809 for 32-bit / x64-based Systems
- Windows 10 Version 1809 for ARM64-based Systems
- Windows 10 Version 1903 for 32-bit / x64-based Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 7 for 32-bit / x64-based Systems Service Pack 1
- Windows 8.1 for 32-bit / x64-based systems
- Windows RT 8.1
- Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
Recommended:
- Install the necessary updates for vulnerable Windows OS, starting from the nodes on the perimeter and further for the entire infrastructure, in accordance with the company's vulnerability management procedures:
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182 - If there is a published RDP service on the external perimeter for a vulnerable OS, consider restricting (closing) access to eliminate vulnerabilities.
At the moment, there is no information about the presence of PoC / exploit / exploitation of these vulnerabilities, but we do not recommend delaying patches, often their appearance is a matter of several days.
Possible additional compensatory measures:
- Enable Network Level Authentication (NLA). However, vulnerable systems will still remain vulnerable to remote code execution (RCE) if the attacker has valid credentials that can be used for successful authentication.
- Temporary shutdown of the RDP protocol for vulnerable versions of the OS until the installation of updates, the use of alternative methods of remote access to resources.
All Articles