Attacker Value
Very High
(12 users assessed)
Exploitability
Moderate
(12 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
8

Windows Remote Desktop (RDP) Use-after-free vulnerablility, "Bluekeep"

Disclosure Date: May 16, 2019
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Persistence
Techniques
Validation
Validated

Description

A bug in Windows Remote Desktop protocol allows unauthenticated users to run arbitrary code via a specially crafted request to the service. This affects Windows 7/Windows Server 2008 and earlier releases. Given the ubiquity of RDP in corporate environments and the trusted nature of RDP, this could pose serious concerns for ransomware attacks much like WannaCry.

Patches are released for Windows 7/2008 Operating systems as well as Windows XP.

Add Assessment

8
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Technical Analysis

The effort to execute the exploit out of the box, with default settings on known targets is not that high. It’s important to note that to exploit this reliably in atypical scenarios you need to know a bit more detail of the target, including what hypervisor it may be running on.

6
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

What a pain to make it work generally across different versions! The work put into this will be foundational for future exploit development around RDP and Windows kernel exploitation in general.

6
Ratings
Technical Analysis

Like some others have said, this requires an understanding of your targets Host devices in order to generate a reliable exploit. This involves identifying the Start address of the NonPageedPool and plugging this into the existing metasploit module.

With a large number of cloud-based resources this is perhaps a little easier to exploit than enterprise desktops.

An example against AWS hosted windows appliances works something like this.

  • Spin up your own AWS Instance.
  • Use Memory Dump tool like WinPMem to grab a memory image.
  • Transfer mem dump to a machine running the rekall memory forensics tool
  • Run the pools plugin to get the address.

This offset will work against any instance in this region started from that same base AMI.

alt text

5
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very Low
Technical Analysis

It is a scary vuln, and you should patch immediately. As no PoC is out, don’t trust the patch entirely and limit exposure to critical systems.

4
Ratings
Technical Analysis

This vulnerability may seem very useful, it is probably as interesting as other RCEs affecting Microsoft Windows OSes, however public exploits rely on the existence of a registry key (fDisableCam) not being present by default (it has to be manually created) thus not found in enterprise networks.

4
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very Low
Technical Analysis

This vuln is important to focus attention to. Pre-auth RCE on a likely large target base is very dangerous.

4
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very Low
Technical Analysis

Watch this one for details. In the meantime, if you can’t patch, then block TCP/3389 (or whatever port you might be mapping RDP to), enable Network Level Authentication (NLA), or disable RDP.

This exploit is critical. RDP is ubiquitous in corporate settings, which are the most likely to have older Operating Systems deployed. That issue is complicated by the general reasoning that most older Operating systems are there to support legacy equipment and are less likely to receive automated patching.

EDIT (24-July-2019): Welp, we’ve heard lots of researchers say they’re privately holding onto PoCs, but now PoCs and details are starting to surface. It won’t be long until this one is easily weaponized, and I’m willing to bet it’s being used in the wild, if only in selected cases.

3
Ratings
Technical Analysis

Some of the gotchas on patching this vuln:

  • Not restarting the vulnerable asset, even after you apply the patch, keeps the asset vulnerable. Must restart.
  • There have been cases where even with the patch reported as being installed, files on disk were vulnerable, manually checking termdd.sys, the file is normally located at C:\Windows\System32\drivers and the version retrieved with this powershell command:

get-item -Path ‘C:\Windows\System32\drivers\termdd.sys’ | Format-List -Force

3
Ratings
Technical Analysis

Due to public exploits being flaky and sometimes resulting in a Blue Screen on the victim, this exploit is still somewhat difficult to always replicate. If you have paid tools that have better versions of the exploit, it’s more reliable.

The fact that an exploit is included in newer versions of metasploit massively lowers the bar for being able to exploit this vulnerability.

The damage potential is astronomical as there are so many machines that expose RDP to the internet.

1
Technical Analysis

CVE-2019-0708 has supposively been exploited in the wild by Chinese state actors according to the NSA announcement at https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • Microsoft

Products

  • Windows,
  • Windows Server

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis