Insights | Integrity360

Bluekeep Vulnerability

Written by The Integrity360 Team | 24 May 2019 13:40:20 Z

Remote Desktop Services (RDP) Remote Code Execution Vulnerability - Update

CVE: 2019-0708

Last updated: 24/05/19

Last week Microsoft announced a vulnerability that affects Microsoft RDP (CVE-2019-0708 – now known as BlueKeep). Since our initial website advisory on this last week, our researchers have been monitoring the developments of this vulnerability.

We'd like to advise our customers of the need to address any exposure to this vulnerability as a matter of urgency.

The two key contributing factors for this high risk vulnerability are:

  1. Wide exposure due to RDP services often being accessible over the internet to permit remote access.
  2. The vulnerability exists at the pre-authentication stage, meaning that an exploit would not require any user interaction to execute malicious code.

Since being disclosed as part of Microsoft’s Patch Tuesday release, multiple security researchers have developed and released working code exploiting this vulnerability. Although initially the exploit code only created a “Blue Screen of Death” denial of service event, new exploit code (see example created by McAfee’s security research team) has demonstrated the real threat of remote code execution. With the potential public availability of this code the likelihood of attempted exploits has risen.

Additionally, raising the risk further, a number of scanners have been released which enables users to identify vulnerable systems – both within their own environment and across the internet. In line with this, our SOC team have observed a significant increase in activity on TCP port 3389 – an indication of potential scanning, either by security researchers or threat actors.

Our recommendations
Integrity360 recommends clients implement the required updates released as part of Microsoft's May patch Tuesday to exposed systems. The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.

Additionally, Microsoft recommends the following two mitigation actions:

  • Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2
  • Block TCP port 3389 at the enterprise perimeter firewall

If you need further information or assistance in mitigating this threat please contact your Integrity360 account manager or email info@integrity360.com.

As always, Integrity360 managed service customers will be covered through our proactive security approach.