CVE-2019-0708
📋 TL;DR
CVE-2019-0708 (BlueKeep) is a critical remote code execution vulnerability in Microsoft's Remote Desktop Services. It allows unauthenticated attackers to execute arbitrary code on vulnerable systems by sending specially crafted RDP requests. This affects older Windows versions that haven't been patched.
💻 Affected Systems
- Microsoft Windows Remote Desktop Services (Terminal Services)
📦 What is this software?
Agile Controller Campus Firmware by Huawei
Agile Controller Campus Firmware by Huawei
Axiom Vertix Md Trauma Firmware by Siemens
Axiom Vertix Solitaire M Firmware by Siemens
Windows 7 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to ransomware deployment, data theft, or creation of wormable botnets that can spread automatically across networks.
Likely Case
Initial foothold for lateral movement, credential harvesting, and deployment of additional malware payloads.
If Mitigated
Denial of service or failed exploitation attempts if RDP is disabled or properly firewalled.
🎯 Exploit Status
Multiple public exploits exist, including Metasploit modules. The vulnerability is wormable and has been actively exploited in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2019 security updates (KB4499164, KB4499180, etc.)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
Restart Required: Yes
Instructions:
1. Apply May 2019 security updates from Microsoft. 2. For unsupported systems (XP, 2003), enable Network Level Authentication (NLA). 3. Restart systems after patching.
🔧 Temporary Workarounds
Disable RDP
windowsCompletely disable Remote Desktop Services if not required
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
Enable Network Level Authentication
windowsRequire authentication before establishing RDP session
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f
🧯 If You Can't Patch
- Block TCP port 3389 at network perimeter and internal firewalls
- Implement RDP Gateway with strict authentication requirements
🔍 How to Verify
Check if Vulnerable:
Check if system is running affected Windows version with RDP enabled and missing May 2019 patchesCheck Version:
wmic os get Caption,Version,BuildNumber,CSDVersionVerify Fix Applied:
Verify May 2019 security updates are installed and RDP is either disabled or NLA is enabled📡 Detection & Monitoring
Log Indicators:
- Failed RDP authentication attempts followed by successful connections
- Event ID 4625 (failed logon) from RDP sources
- Unusual process creation from svchost.exe or termsrv.dll
Network Indicators:
- RDP connections from unexpected sources
- Multiple RDP connection attempts to port 3389
- Unusual RDP traffic patterns
SIEM Query:
source_port=3389 AND (event_id=4625 OR event_id=4624) | stats count by src_ip dest_ip🔗 References
- http://packetstormsecurity.com/files/153133/Microsoft-Windows-Remote-Desktop-BlueKeep-Denial-Of-Service.html
- http://packetstormsecurity.com/files/153627/Microsoft-Windows-RDP-BlueKeep-Denial-Of-Service.html
- http://packetstormsecurity.com/files/154579/BlueKeep-RDP-Remote-Windows-Kernel-Use-After-Free.html
- http://packetstormsecurity.com/files/155389/Microsoft-Windows-7-x86-BlueKeep-RDP-Use-After-Free.html
- http://packetstormsecurity.com/files/162960/Microsoft-RDP-Remote-Code-Execution.html
- http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190529-01-windows-en
- http://www.huawei.com/en/psirt/security-notices/huawei-sn-20190515-01-windows-en
- https://cert-portal.siemens.com/productcert/pdf/ssa-166360.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-406175.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-433987.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-616199.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-832947.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-932041.pdf
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
- http://packetstormsecurity.com/files/153133/Microsoft-Windows-Remote-Desktop-BlueKeep-Denial-Of-Service.html
- http://packetstormsecurity.com/files/153627/Microsoft-Windows-RDP-BlueKeep-Denial-Of-Service.html
- http://packetstormsecurity.com/files/154579/BlueKeep-RDP-Remote-Windows-Kernel-Use-After-Free.html
- http://packetstormsecurity.com/files/155389/Microsoft-Windows-7-x86-BlueKeep-RDP-Use-After-Free.html
- http://packetstormsecurity.com/files/162960/Microsoft-RDP-Remote-Code-Execution.html
- http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190529-01-windows-en
- http://www.huawei.com/en/psirt/security-notices/huawei-sn-20190515-01-windows-en
- https://cert-portal.siemens.com/productcert/pdf/ssa-166360.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-406175.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-433987.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-616199.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-832947.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-932041.pdf
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0708
