BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor

[German]It seems that Microsoft offers also patches against BlueKeep vulnerability for pirated copies of Windows XP and Windows 7. And Talos has a blog post about defend of encrypted RDP attacks like BlueKeep.


BlueKeep-Fixes also for pirated copies

Well, in normal circumstances I would not mention this topic. But this makes clear, how urgent this case might be. Last Friday warned in a Technet blog post about the BlueKeep vulnerability and recommends to install available updates (see my blog post BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia).

Microsoft provides Updates from Windows XP up to Windows 7 (and affected Servers) – even, if Windows XP (and Windows Server 2003) is out of support for many years. One of Microsoft’s arguments for upgrading to new Windows versions has always been that the support with security updates for the older versions has expired. So some people could suppose, that Microsoft provides a blocking mechanism for this security update for priated copies of Windows XP up to Windows 7.

Woody Leonhard has mentioned this within his above tweet and addressed it within the linked blog post. So: Install the security updates on your affected machines as soon as possible.

BlueKeep and encrypted SSL tunnels

Some RDP-Sessions are using an encrypted SSL tunnel to access a host. But BlueKeep (CVE-2019-0708) can be exploited over an encrypted SSL tunnel. This SSL encryption may impact packet inspection and detection of such an attack.


Craig Williams mentioned that within the above tweet and linked to a Talos Security article Using Firepower to defend against encrypted RDP attacks like BlueKeep, which discusses this topic. After Microsoft released fixes for the critical authentication remote code execution vulnerability in Remote Desktop Protocol Services (RDP), Cisco Talos started reverse-engineering work immediately to determine how exactly RDP was vulnerable. They released SID 50137 for SNORT® correctly blocks exploitation of CVE-2019-0708 and scanning attempts that leverage this vulnerability. Within the article linked above, Talos provides a guide to set up RDP decryption on Cisco Firepower, specifically applies to Windows Server 2008 instances. Windows 7 required to overcome several hurdles to be attackable – and newer Windows Server versions are not vulnerable.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *