[German]What’s about the CVE-2019-0708 vulnerability in Windows Remote Desktop services? Microsoft released updates from Windows XP to Windows 7 on May 14, 2019? Are there exploits? Are there tools to test if an environment is vulnerable?
Vulnerability CVE-2019-0708, some background
Remote Desktop Services – formerly known as Terminal Services – has a serious vulnerability called CVE-2019-0708 in older Windows versions. An unauthenticated attacker can connect to a target system via RDP using special requests. The problem is that the attacker does not need to authenticate to gain access to the system.
An attacker who has successfully exploited this vulnerability could execute arbitrary code on the target system. This includes installing programs, viewing, modifying, or deleting data, and creating new accounts with full user privileges. This critical vulnerability exists in the following versions of Windows:
- Windows XP
- Windows Server 2003
- Windows Vista
- Windows 7
- Windows Server 2008
- Windows Server 2008 R2
Starting with Windows 8, the vulnerability no longer exists in the Remote Desktop service. On May 14, 2019, Microsoft released a security update for older versions of Windows, from Windows XP to Windows 7, that closes the critical CVE-2019-0708 vulnerability in Remote Desktop Services. I had warned about that vulnerability within my blog post Critical update for Windows XP up to Windows 7 (May 2019).
What’s about BlueKeep exploits?
Well, we have updates to close the vulnerability. But not all administrators can install those updates just in time. So the question raises: How dangerous is this vulnerability, that is called now BlueKeep, in reality. Are there exploits available and in use in the wild?
Security researchers expected that working exploits would be available within hours or days for vulnerability CVE-2019-0708. Security researcher Kevin Beaumont (@GossiTheDog) has monitored this topic and published some information on Twitter. Until the end of last week, there were no signs that any RDP exploits were being practically exploited for attacks.
Researchers at Mcafee and Zerodium both have working exploits for this. Neither have released technical details. There are no publicly available exploits at this stage, nor evidence of exploitation in wild.
— Kevin Beaumont (@GossiTheDog) 19. Mai 2019
According to last Sunday’s post above, Mc Afee and Zerodium have functional exploits. But these are not publicly known and there are no details about them.
Kaspersky dude has blue screen of death https://t.co/QQ2J2RRTQC
— Kevin Beaumont (@GossiTheDog) 20. Mai 2019
Kaspersky has tried an exploit and so far only managed to trigger a blue screen with manipulated RDP messages, as the above tweet suggests. According to Beaumont there is only one working exploit on GitHub so far, the rest is probably fake. But Bleeping Computer espects in this article, that exploits are coming soon.
I get the CVE-2019-0708 exploit working with my own programmed POC (a very real dangerous POC).This exploit is very dangerous. For this reason i don´t will said TO ANYBODY OR ANY ENTERPRISE nothing about it. You are free of believe me or not,i dont care.https://t.co/o7wwEazgK0
— Valthek (@ValthekOn) 18. Mai 2019
It seems that the above Proof of Concept (POC) has been confirmed by Christiaan Beek, senior principal engineer at McAfee. And the tweet below demonstrats the vulnerability.
We analyzed the vulnerability CVE-2019-0708 and can confirm that it is exploitable.
We have therefore developed detection strategies for attempts to exploit it and would now like to share those with trusted industry parties.
Please contact: email@example.com pic.twitter.com/pEzuEzok0d
— Boris Larin (@oct0xor) 20. Mai 2019
A first network test on BlueKeep vulnerability
It is interesting to note that the Vulcan team of the Chinese security provider Qihoo 360has developed a remote scan tool with which a network can be scanned to see whether it can be attacked via the vulnerability CVE-2019-0708 via BlueKeep exploits.
CVE-2019-0708 remote scan tool by 360Vulcan team. Detect the recent RDP bug via RDP packet behavior, without trigger the final bug path(no BSOD or any side effect on the target system), ask for it to scan your network by sending mail to cert at https://t.co/bf3ebtruY0 pic.twitter.com/0roL3SGTbJ
— mj0011 (@mj0011sec) 20. Mai 2019
According to the tweet above, this remote scan tool can scan a network on demand without causing a blue screen or other side effects. Currently, interested parties can only send an e-mail to 360.cn and ask for a network scan. But this is probably only possible for paying customers who are powerful in China. So it seems as if networks will be spared a BlueKeep attack wave for a few more days – and there are probably no generally available test tools yet.