DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2019-0708: CVE-2019-0708: Unauthenticated Remote Code Execution in Windows Remote Desktop Services (BlueKeep)

#security #cve #cybersecurity

CVE-2019-0708: Unauthenticated Remote Code Execution in Windows Remote Desktop Services (BlueKeep)

Vulnerability ID: CVE-2019-0708
CVSS Score: 9.8
Published: 2019-05-16

A critical use-after-free (UAF) vulnerability exists in the Windows kernel driver termdd.sys, which processes Remote Desktop Protocol (RDP) connections. The flaw allows an unauthenticated attacker to execute arbitrary code with systemic privileges by binding the internal MS_T120 virtual channel to an arbitrary static index.

TL;DR

BlueKeep is a pre-authentication, wormable remote code execution vulnerability in Windows Remote Desktop Services. Attackers trigger a use-after-free in termdd.sys by manipulating RDP virtual channel binding during the initial connection sequence.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-416
  • Attack Vector: Network (Pre-authentication RDP)
  • CVSS v3.1: 9.8 CRITICAL
  • EPSS Score: 0.94454 (99.99%)
  • Impact: System-level RCE
  • Exploit Status: Active Exploitation
  • KEV Listed: Yes

Affected Systems

  • Windows 7
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows XP
  • Windows Server 2003
  • Siemens Medical Devices
  • Huawei Embedded Systems
  • Windows 7: SP1 (Fixed in: KB4499175)
  • Windows Server 2008 R2: SP1 (Fixed in: KB4499175)
  • Windows Server 2008: SP2 (Fixed in: KB4499180)
  • Windows XP: SP3 (Fixed in: KB4500331)
  • Windows Server 2003: SP2 (Fixed in: KB4500331)

Exploit Details

  • Metasploit: Metasploit BlueKeep Scanner and RCE Module
  • GitHub: Python-based PoC
  • GitHub: Pre-auth RCE PoC for Windows 7
  • GitHub: C-based scanner for identifying BlueKeep at scale

Mitigation Strategies

  • Apply official Microsoft security updates
  • Enable Network Level Authentication (NLA) for RDP
  • Block TCP port 3389 at the perimeter firewall
  • Disable Remote Desktop Services if unneeded
  • Isolate legacy industrial and medical devices on strict VLANs

Remediation Steps:

  1. Identify all hosts running affected Windows operating systems.
  2. Apply the May 2019 out-of-band security updates provided by Microsoft.
  3. Configure Group Policy to mandate Network Level Authentication for all incoming RDP connections.
  4. Verify perimeter firewall rules explicitly deny external traffic to port 3389.
  5. Deploy network IDS signatures to detect MS_T120 channel binding anomalies.

References

Read the full report for CVE-2019-0708 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)