 | |
| CVE identifier(s) | CVE-2019-0708 |
|---|---|
| Date patched | 14 May 2019; 5 years ago (2019-05-14)[1] |
| Discoverer | UK National Cyber Security Centre[2] |
| Affected software | pre-Windows 8 versions ofMicrosoft Windows |
BlueKeep (CVE-2019-0708) is asecurity vulnerability that was discovered inMicrosoft'sRemote Desktop Protocol (RDP) implementation, which allows for the possibility ofremote code execution.
First reported in May 2019, it is present in all unpatched Windows NT-based versions of Microsoft Windows fromWindows 2000 throughWindows Server 2008 R2 andWindows 7. Microsoft issued a security patch (including an out-of-band update for several versions of Windows that have reached their end-of-life, such asWindows XP) on 14 May 2019. On 13 August 2019, related BlueKeep security vulnerabilities, collectively namedDejaBlue, were reported to affectnewer Windows versions, includingWindows 7 and all recent versions up toWindows 10 of the operating system, as well as the older Windows versions.[3] On 6 September 2019, aMetasploit exploit of thewormable BlueKeep security vulnerability was announced to have been released into the public realm.[4]
The BlueKeep security vulnerability was first noted by theUK National Cyber Security Centre[2] and, on 14 May 2019, reported byMicrosoft. The vulnerability was named BlueKeep by computer security expert Kevin Beaumont onTwitter. BlueKeep is officially tracked as: CVE-2019-0708 and is a "wormable"remote code execution vulnerability.[5][6]
Both the U.S.National Security Agency (which issued its own advisory on the vulnerability on 4 June 2019)[7] and Microsoft stated that this vulnerability could potentially be used byself-propagating worms, with Microsoft (based on a security researcher's estimation that nearly 1 million devices were vulnerable) saying that such a theoretical attack could be of a similar scale toEternalBlue-based attacks such asNotPetya andWannaCry.[8][9][7]
On the same day as the NSA advisory, researchers of theCERT Coordination Center disclosed a separateRDP-related security issue inthe Windows 10 May 2019 Update andWindows Server 2019, citing a new behaviour where RDPNetwork Level Authentication (NLA) login credentials are cached on the client system, and the user can re-gain access to their RDP connection automatically if their network connection is interrupted. Microsoft dismissed this vulnerability as being intended behaviour, and it can be disabled viaGroup Policy.[10]
As of 1 June 2019, no activemalware of the vulnerability seemed to be publicly known; however, undisclosedproof of concept (PoC) codes exploiting the vulnerability may have been available.[8][11][12][13] On 1 July 2019,Sophos, a British security company, reported on a working example of such a PoC, in order to emphasize the urgent need to patch the vulnerability.[14][15][16] On 22 July 2019, more details of an exploit were purportedly revealed by a conference speaker from a Chinese security firm.[17] On 25 July 2019, computer experts reported that a commercial version of the exploit may have been available.[18][19] On 31 July 2019, computer experts reported a significant increase in malicious RDP activity and warned, based on histories of exploits from similar vulnerabilities, that an active exploit of the BlueKeep vulnerability in the wild might be imminent.[20]
On 13 August 2019, related BlueKeep security vulnerabilities, collectively namedDejaBlue, were reported to affect newer Windows versions, includingWindows 7 and all recent versions of the operating system up toWindows 10, as well as the older Windows versions.[3]
On 6 September 2019, an exploit of the wormable BlueKeep security vulnerability was announced to have been released into the public realm.[4] The initial version of this exploit was, however, unreliable, being known to cause "blue screen of death" (BSOD) errors. A fix was later announced, removing the cause of the BSOD error.[21]
On 2 November 2019, the first BlueKeep hacking campaign on a mass scale was reported, and included an unsuccessful cryptojacking mission.[22]
On 8 November 2019, Microsoft confirmed a BlueKeep attack, and urged users to immediately patch their Windows systems.[23]
The RDP protocol uses "virtual channels", configured before authentication, as a data path between the client and server for providing extensions. RDP 5.1 defines 32 "static" virtual channels, and "dynamic" virtual channels are contained within one of these static channels. If a server binds the virtual channel "MS_T120" (a channel for which there is no legitimate reason for a client to connect to) with a static channel other than 31,heap corruption occurs that allows forarbitrary code execution at the system level.[24]
Windows XP,Windows Vista,Windows 7,Windows Server 2003,Windows Server 2008, andWindows Server 2008 R2 were named by Microsoft as being vulnerable to this attack. Versions newer than 7, such asWindows 8,Windows 10 andWindows 11, were not affected. TheCybersecurity and Infrastructure Security Agency stated that it had also successfully achieved code execution via the vulnerability onWindows 2000.[25]
Microsoft released patches for the vulnerability on 14 May 2019, forWindows XP,Windows Vista,Windows 7,Windows Server 2003,Windows Server 2008, andWindows Server 2008 R2. This included versions of Windows that have reached theirend-of-life (such as Vista, XP, and Server 2003) and thus are no longer eligible for security updates.[8] The patch forces the aforementioned "MS_T120" channel to always be bound to 31 even if requested otherwise by an RDP server.[24]
The NSA recommended additional measures, such as disablingRemote Desktop Services and its associatedport (TCP 3389) if it is not being used, and requiringNetwork Level Authentication (NLA) for RDP.[26] According to computer security companySophos, two-factor authentication may make the RDP issue less of a vulnerability. However, the best protection is to take RDP off the Internet: switch RDP off if not needed and, if needed, make RDP accessible only via aVPN.[27]
