BlueKeep: A Novel Approach to Remote Code Execution

On May 14th, Microsoft surprised many security experts by announcing a patch for Windows XP, Windows 7, Server 2003, Server 2008, and Server 2008 R2 for a new remote code execution flaw that had been discovered in the remote desktop protocol (RDP) service. While it was not known to be exploited in the wild, like the WannaCry vulnerability before it, Microsoft advised all users of their older, and in some cases, no longer supported, versions of Windows to apply their patches as soon as possible, as attacks targeting the vulnerability were not far behind, since it was possible to decompile the patch and reverse engineer just how the originally identified attack worked.   

What’s in a Name? 

Microsoft registered the vulnerability under the identifier CVE-2019-0708, but due to the severity of the issue, and to raise public awareness of the issue, the name BlueKeep was chosen by a security operations center manager named Kevin Beaumont. The name was a combination of two different elements. The first being the Red Keep from Game of Thrones, which was chosen based on how ridiculously simple the books in the Song of Ice and Fire series made it appear to take control of the iron throne. The blue part of the name took inspiration from the blue screen of death, which, when security researchers attempted to reproduce the issue, their early POCs would cause a BSOD trying to trigger the issue. 

What’s the Risk? 

BlueKeep has a 9.8 critical score using CVSSv3. For a breakdown of this score, visit https://nvd.nist.gov/vuln/detail/CVE-2019-0708. What this means for you is that if you are running an older version of Windows, you are not patched yet, and you aren’t employing at least one of the following mitigations: disabling remote desktop services, blocking port 3389 at the firewall level, or enabling network layer authentication on supported editions of Windows 7, Windows Server 2008, or Windows Server 2008 R2, then it is entirely possible for your machine to be fully compromised and remote code execution to be possible on your system. Even then though, early research points to being able to use different ports to achieve the same effect, and that while network layer authentication removes the ability to run code unauthenticated, it doesn’t stop it entirely, making it so that patching is the most effective countermeasure. 

Where do we go from here? 

While this was caught before being exploited in the wild like WannaCry had been two years ago, it is advised to continue to stay alert for potential future variants which might also need patching. As proof of concepts demonstrating the vulnerability are just now surfacing, if you are running a vulnerable version of Windows and haven’t patched it yet, then it is advisable to do so as soon as possible, since it is just a matter of time before malware producers take the known proof of concepts and wrap it into their own exploits. In the meantime, if you do not use remote desktop services, then disabling it would be advisable, and in the case of older legacy systems which can’t be readily updated, it is advised to separate potentially vulnerable machines and isolate them on your network. 

For more information on how this security flaw operates, consult the PoC here: https://github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2019_05_rdp_cve_2019_0708.txt. Qihoo360 in China has also released a scan tool to see if your computer is vulnerable, but which can only be obtained by requesting for it through email. The tweet of this announcement can be found here: https://twitter.com/mj0011sec/status/1130387741538054144  

Fabrice Mouret