PoC Exploits Created for Wormable Windows RDS Flaw

Several proof-of-concept (PoC) exploits, including ones that can be used for remote code execution, have been developed for the recently patched Windows Remote Desktop Services (RDS) vulnerability tracked as CVE-2019-0708 and dubbed BlueKeep.

Microsoft’s Patch Tuesday updates for May 2019 addressed a flaw that can be exploited by malware to spread similar to the way the notorious WannaCry ransomware did back in 2017 through the EternalBlue exploit.

The vulnerability, described by Microsoft as wormable, allows an unauthenticated attacker to take control of a device without any user interaction by sending specially crafted requests to the targeted machine’s RDS via the Remote Desktop Protocol (RDP).

Microsoft has released patches for Windows 7 and Server 2008, along with Windows XP and Server 2003, which are no longer supported. Windows 8 and 10 are not affected, and users of Windows 7 and Server 2008 can block unauthenticated attackers from exploiting the flaw by enabling Network Level Authentication (NLA). The threat can also be mitigated by blocking TCP port 3389 at the perimeter firewall.

Experts have warned that the flaw poses a serious risk to organizations around the world and industrial environments are particularly exposed as many use RDS for remote access to control systems.

The risk of exploitation for malicious purposes continues to increase and several researchers and cybersecurity companies have reported developing PoC exploits.

Fortunately, no fully working exploits appear to have been made public to date. The SANS Institute reported seeing two partial exploits that are publicly available — they both trigger the vulnerability without causing any actual damage.

While some researchers have created exploits that cause a denial-of-service (DoS) condition (i.e., a blue screen of death or BSOD), others have developed remote code execution exploits.

Chaouki Bekrar, CEO and founder of exploit acquisition firm Zerodium, has confirmed that the vulnerability can be exploited remotely without authentication to gain access to a device with SYSTEM privileges.

McAfee has also developed a PoC exploit that allows remote code execution. The company has released a video showing the exploit in action, but it has not made it public.

Several cybersecurity firms have pushed out updates that should detect and block attempts to exploit the BlueKeep vulnerability.

“Right now, it is only a matter of time until someone publishes a working exploit or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and also a lucrative asset for its originator,” warned ESET’s Ondrej Kubovič.

Related: Microsoft Patches Internet Explorer Zero-Day Reported by Google

Related: Microsoft Patches Two Windows Flaws Exploited in Targeted Attacks