Attacker Value
Very High
(7 users assessed)
Exploitability
Moderate
(7 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

DejaBlue, RDP Heap Overflow

Disclosure Date: August 14, 2019 Last updated February 13, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.

Add Assessment

4
Ratings
  • Attacker Value
    Very High
Technical Analysis

Affects every version of Windows from Windows 7 to Windows 10. A DVC, or Dynamic Virtual Channel, packet needs to be sent with a specially-crafted uncompressed field field value larger than an integer, causing an overflow, according to MalwareTech’s writeup here: https://www.malwaretech.com/2019/08/dejablue-analyzing-a-rdp-heap-overflow.html

4
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Technical Analysis

This vulnerability was discovered while researchers audited the RDP code from the previous vulnerability, Bluekeep. This vulnerability is likely going to be worse than Bluekeep, as it targets more modern operating systems. The saving grace with Dejablue, as with Bluekeep and even Eternalblue is the complexity of turning the vulnerability into a reliable exploit, as the attacker must successfully trigger the vulnerability, write to kernel memory and to user memory, then execute the code in kernel memory to locate and execute the code in user memory. Without question this is in the ability of nation states and probably even organized crime, but until a public version is released, this will be treated as a zero day by those attackers that posses it. I would be surprised to see a public version of this that works reliably across Windows kernel 10 releases for at least another six to eight weeks (October 2019).

General Information

Additional Info

Technical Analysis