BlueKeep, the Microsoft RDP vulnerability — What we know so far

BlueKeep is a critical security flaw found in Microsoft Remote Desktop Services that was making the headlines for the past two months. In this article, we explore the key facts about this vulnerability.

The first thing to know about BlueKeep is that it “is wormable and any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer”, said the Microsoft Security Response Center. This means that it could easily cause widespread infection with no user interaction required.

As a consequence, BlueKeep has the potential to pose a threat similar to the WannaCry ransomware, one of the biggest cyberattacks to date, which spread rapidly and infected more than 300.000 computers worldwide.

Here’s what you’ll find in the article:

• Key facts: Here’s what happened
• Technical details about BlueKeep
• Security measures you should apply to protect your data
• Final thoughts

Key facts: Here’s what happened

To better understand the evolution of this vulnerability and its real impact, we’ve put together all the essential and relevant facts (and data) we know about BlueKeep.

First days of May- The vulnerability was initially reported by the UK’s National Cyber Security Centre (NCSC) to Microsoft.

May 14, 2019- Shortly after this, Microsoft disclosed it (by crediting the National Cyber Security Centre) and released an emergency parch for BlueKeep, the critical Remote Code Execution vulnerability, which was officially known as CVE- 2019–0708.

May 17, 2019 — A few days later, in a weekly threat report, UK’s National Cyber Security Centre urged both organizations and individuals to apply Microsoft’s security patches immediately and prevent from being compromised.

May 23, 2019 — Two security researchers have released an unauthenticated scanner Proof-of-Concept for BlueKeep that can detect if a host is vulnerable to the Microsoft Windows Remote Desktop Service vulnerability. For more in-depth technical details and how to avoid DoS (Denial-of-Services) attack, you can read the full article.

May 28, 2019 — Security researchers from Eratta Security used an internal scanning tool, which looks for port 3389, the one used by RDP for remote access. They discovered that there are around 950,000 vulnerable machines on the Internet vulnerable to this bug.

According to the Internet Storm Center(ISC), a program held by The Sans Institute and responsible for monitoring the level of malicious activity on the internet, it was not observed a big increase in port 3389/TCP scanning. However, ISC pointed out: “This port is scanned rather heavily even without a new vulnerability drawing attention to it”.

Using an online port scanner tool helps you easily discover which network services are exposed to the Internet and get an overview of the network attack surface that includes open TCP ports and services.

May 30, 2019 — Two weeks later, after Microsoft initially issued the security fix for Bluekeep, the company came back and stressed the importance of installing the latest updates for the affected systems.

June 4, 2019 — Another advisory came from the National Security Agency which strongly recommended Microsoft Windows administrators and home users to apply and use the latest software patches available to avoid becoming easy targets.

On the same day, the CERT Coordination Center ar Carnegie Mellon University reported another related Microsoft Windows RDP security vulnerability (known as CVE-2019–9510) which can allow an attacker to remotely bypass the Windows lock screen. More (technical) details can be found here.

June 17, 2019 — This advisory was followed by security specialists from the Cybersecurity and Infrastructure Security Agency institution (CISA) which issued an Activity alert for Windows users and administrators to patch the critical security flaws and follow “the appropriate mitigation measures as soon as possible”. Homeland Security’s cyber agency said that it has tested a working BlueKeep remote code execution exploit and concluded that Windows 2000 machines are also vulnerable to this flaw.

July 1, 2019 — Security researchers from Sophos have developed a Proof-of-Concept exploit (not available to the public) in which they show a demo video on how malicious actors can exploit the BlueKeep vulnerability against RDP servers and why it is a serious threat, urging individuals and organizations to patch their systems ASAP.

July 23, 2019 — A US-based company, Immunity Inc., has released a working BlueKeep exploit called CANVAS 7.23 which is a new module part of their penetration testing toolkit. You can see the video demonstration here.

You can read the rest of the article on the Pentest-Tools.com blog.