Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

PoC Exploits Created for Wormable Windows RDS Flaw

Several proof-of-concept (PoC) exploits, including ones that can be used for remote code execution, have been developed for the recently patched Windows Remote Desktop Services (RDS) vulnerability tracked as CVE-2019-0708 and dubbed BlueKeep.

Several proof-of-concept (PoC) exploits, including ones that can be used for remote code execution, have been developed for the recently patched Windows Remote Desktop Services (RDS) vulnerability tracked as CVE-2019-0708 and dubbed BlueKeep.

Microsoft’s Patch Tuesday updates for May 2019 addressed a flaw that can be exploited by malware to spread similar to the way the notorious WannaCry ransomware did back in 2017 through the EternalBlue exploit.

The vulnerability, described by Microsoft as wormable, allows an unauthenticated attacker to take control of a device without any user interaction by sending specially crafted requests to the targeted machine’s RDS via the Remote Desktop Protocol (RDP).

Microsoft has released patches for Windows 7 and Server 2008, along with Windows XP and Server 2003, which are no longer supported. Windows 8 and 10 are not affected, and users of Windows 7 and Server 2008 can block unauthenticated attackers from exploiting the flaw by enabling Network Level Authentication (NLA). The threat can also be mitigated by blocking TCP port 3389 at the perimeter firewall.

Experts have warned that the flaw poses a serious risk to organizations around the world and industrial environments are particularly exposed as many use RDS for remote access to control systems.

The risk of exploitation for malicious purposes continues to increase and several researchers and cybersecurity companies have reported developing PoC exploits.

Fortunately, no fully working exploits appear to have been made public to date. The SANS Institute reported seeing two partial exploits that are publicly available — they both trigger the vulnerability without causing any actual damage.

While some researchers have created exploits that cause a denial-of-service (DoS) condition (i.e., a blue screen of death or BSOD), others have developed remote code execution exploits.

Advertisement. Scroll to continue reading.

Chaouki Bekrar, CEO and founder of exploit acquisition firm Zerodium, has confirmed that the vulnerability can be exploited remotely without authentication to gain access to a device with SYSTEM privileges.

McAfee has also developed a PoC exploit that allows remote code execution. The company has released a video showing the exploit in action, but it has not made it public.

Several cybersecurity firms have pushed out updates that should detect and block attempts to exploit the BlueKeep vulnerability.

“Right now, it is only a matter of time until someone publishes a working exploit or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and also a lucrative asset for its originator,” warned ESET’s Ondrej Kubovič.

Related: Microsoft Patches Internet Explorer Zero-Day Reported by Google

Related: Microsoft Patches Two Windows Flaws Exploited in Targeted Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.