The latest from Unit 42 cautions against exploits of Windows Bluekeep, or CVE-2019-0708. Read more about how Palo Alto Networks customers are protected and what you can do to keep your security posture stable. Got questions? Get answers on LIVEcommunity.
In May 2019, Microsoft released an out-of-band patch update for remote code execution vulnerabilityCVE-2019-0708, which is also known as as “BlueKeep” and resides in code to Remote Desktop Services (RDS). This vulnerability is pre-authentication and requires no user interaction, making it particularly dangerous as it has the unsettling potential to be weaponized into a destructive exploit. If successfully exploited, this vulnerability could execute arbitrary code with “system” privileges. The Microsoft Security Response Centeradvisoryindicates this vulnerability may also be wormable, a behavior seen in attacks including Wannacry and EsteemAudit. Understanding the seriousness of this vulnerability and its potential impact to the public, Microsoft took the rare step of releasing a patch for the no longer supported Windows XP operating system, in a bid to protect Windows users.
With potential global catastrophic ramifications, Palo Alto Networks Unit 42 researchers felt it was important to analyze this vulnerability to understand the inner workings of RDS and how it could be exploited. Our research dives deep into the RDP internals and how they can be leveraged to gain code execution on an unpatched host. This blog discusses how Bitmap Cache protocol data unit (PDU), Refresh Rect PDU, and RDPDR Client Name Request PDU can be used to write data into kernel memory.
Our Unit 42 blog discusses exploitation of CVE-2019-0708 and ways to mitigate the vulnerability.
Read the complete blog on the Unit 42 website to learn how Palo Alto Networks customers are protected.