Update [05.21.2019]: Using information from their research and from public scripts, security professionals at NCC Group have created a network detection rule for CVE-2019-0708. After testing with Suricata IDS/IPS, NCC Group made it publicly available.
Security researchers have created exploits for the remote code execution vulnerability in Microsoft's Remote Desktop Services, tracked as CVE-2019-0708 and dubbed BlueKeep, and hackers may not be far behind.
While the vulnerability inspired some playful users to create fake proof-of-concept code intended for rickrolling, it is no joke. As Remote Desktop Services is commonly exposed to the public so that users can gain remote access to their internal computers, successful exploitation could allow access to an entire network.
Microsoft released a patch for the flaw on May 14 and described it as being "wormable" - not requiring user interaction, and allowing malware to propagate to vulnerable machines "in a similar way as the WannaCry malware spread across the globe in 2017." The severity score of the flaw is 9.8 out of 10, which makes it critical.
CVE-2019-0708 is definitely exploitable for RCE
The first to confirm that BlueKeep is exploitable was zero-days acquisition platform Zerodium, through its founder, Chaouki Bekrar. He said that the exploit works remotely without authentication and grants the attacker the highest privileges on vulnerable Windows Server 2008 and Window 7, and the out-of-support versions Windows 2003 and XP.
We've confirmed exploitability of Windows Pre-Auth RDP bug (CVE-2019-0708) patched yesterday by Microsoft. Exploit works remotely, without authentication, and provides SYSTEM privileges on Windows Srv 2008, Win 7, Win 2003, XP. Enabling NLA mitigates the bug. Patch now or GFY!
— Chaouki Bekrar (@cBekrar) May 15, 2019
Other researchers posted that they had created a working exploit code for the BlueKeep vulnerability.
On Saturday, security researcher Valthek announced that he was able to create proof-of-concept code that triggered the RDS bug. However, he would not provide more details about this.
I get the CVE-2019-0708 exploit working with my own programmed POC (a very real dangerous POC).This exploit is very dangerous. For this reason i don´t will said TO ANYBODY OR ANY ENTERPRISE nothing about it. You are free of believe me or not,i dont care.https://t.co/o7wwEazgK0
— Valthek (@ValthekOn) May 18, 2019
Christiaan Beek, senior principal engineer at McAfee, confirmed that Valthek's proof-of-concept (PoC) code was working and urged "everyone to PATCH," adding that the issue was indeed very serious.
The code was not released and neither were the technical details, but Beek said that the PoC was successful for remote code execution on Windows XP, which Microsoft retired years ago, yet bothered to patch it against BlueKeep; this is a clear indicator that there are businesses relying on old XP that are sufficiently important to receive a critical update.
CVE-2019-0708 #BlueKeep - After many hours @ValthekOn was able to get a working PoC for this. We are not going to reveal technical details or release code. We urge everyone to PATCH - it is really nasty.. @Raj_Samani @John_Fokker @Seifreed @fr0gger_ @w3knight pic.twitter.com/W0aGXj2KTa
— Christiaan Beek (@ChristiaanBeek) May 18, 2019
Beek says that the vulnerability is related to the Remote Desktop Protocol (RDP). He recommends disabling it if it is not needed and applying the patch. As a further precaution, he advises cutting direct RDP access and limiting internal usage.
Boris Larin of Kaspersky also analyzed the vulnerability and developed detections to prevent exploitation attempts. His tweet also lacks technical details but comes with an animated picture showing that the blue screen of death was triggered on a virtual Windows XP machine.
Since methods to protect against BlueKeep are available, Larin said that Kaspersky would like to share them with trusted industry partners. Anyone interested in the details should contact the company.
We analyzed the vulnerability CVE-2019-0708 and can confirm that it is exploitable.
— Boris Larin (@oct0xor) May 20, 2019
We have therefore developed detection strategies for attempts to exploit it and would now like to share those with trusted industry parties.
Please contact: nomoreworm@kaspersky.com pic.twitter.com/pEzuEzok0d
A vulnerability does not necessarily need to lead to the expected effect in order to determine that it is exploitable, and an unpredicted outcome is sufficient to create methods that prevent leveraging it.
Safe method to find vulnerable machines
Admins that have not installed the patch may want to apply the update, lest they risk hackers brewing a working exploit and the aftermath that comes with it.
If they don't want to blindly update systems, Zheng Wenbin, the head of 360Vulcan - Qihoo360's vulnerability research team - announced that they have a safe option to determine which machines are impacted by the issue, without triggering the vulnerability.
This is done via RDP packet behavior and the researcher says that it does not cause a blue screen of death (BSOD) so it can be used safely on the network.
The scan tool is not available for download. To get it and scan the network, one has to contact Qihoo360's CERT department.
CVE-2019-0708 was reported privately to Microsoft by the UK's National Cyber Security Centre (NCSC), there is no public indication at the moment that it is exploited in the wild.
This may soon change when technical details will emerge or hackers manage to put together the pieces to understand exactly how to trigger BlueKeep in a way that gives them execution rights on vulnerable systems.
Microsoft says that there is a strong possibility for malicious actors to write a valid exploit and add it to their malware. As such, the general consensus is to install the patch as quickly as possible. If a valid exploit makes it on GitHub, there's a bot that keeps track of the repos associated with CVE-2019-0708.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now