Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (BlueKeep)

Original Issue Date:- May 21, 2019
Alert Type:- Vulnerability
Severity:- High


Systems Affected

  • Windows XP (all)
  • Windows 2003 (all)
  • Windows 7 for 32-bit Systems SP 1 and x64-based Systems SP 1
  • Windows Server 2008 for 32-bit Systems SP 2 (Server Core installation also affected)
  • Windows Server 2008 for Itanium-Based Systems SP 2
  • Windows Server 2008 for x64-based Systems SP 2 (Server Core installation also affected)
  • Windows Server 2008 R2 for Itanium-Based Systems SP 1
  • Windows Server 2008 R2 for x64-based Systems SP 1 (Server Core installation also affected)


Overview

A vulnerability has been reported in Microsoft Windows Remote Desktop Services which could be exploited by a remote attacker to execute remote code on the targeted system.


Description

This vulnerability aka BlueKeep exists in the Microsoft Remote Desktop Services due to improper handling of connection requests. A remote unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target systems Remote Desktop Service via RDP. This vulnerability is pre-authentication and does not require any user interaction. Hence, this vulnerability could create a worm, which could lead to propagation of any future malware exploiting this vulnerability from one computer to another (Similar to Wannacry ransomware). Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code and compromise the target system completely.


Solution

Apply appropriate fix as mentioned in Microsoft Security Advisory

Out of Support Windows OSes (Windows XP, Windows 2003): Apply appropriate patches to patch your OS (and strongly recommended to upgrade). Microsoft does not normally give patches for out-of-support OSes but made an exception because of the criticality of the vulnerability.


Vendor Information

Microsoft

References:

Microsoft

Cisco

Trend Micro

Krebson Security

BleepingComputer

CVE Name