BlueKeep Vulnerability – Patch Now, Patch Again

By Fortra's Digital Defense

Remost Desktop Protocol smWith the May 2019 Patch Tuesday release from Microsoft, it was revealed a number of older Microsoft operating systems are vulnerable to a condition known as BlueKeep (CVE-2019-0708). BlueKeep is a Remote Code Execution (RCE) flaw in Remote Desktop Services (RDS)/Remote Desktop Protocol (RDP) allowing code to run with system level access and is potentially “wormable” making it possible for an attacker to programmatically exploit the vulnerability and subsequently use exploited systems to locate, exploit and spread to other systems.

BlueKeep is considered “critical” by Microsoft and affects older versions of Microsoft Windows Operating Systems, including, Windows 7, Vista, XP, 2000; Windows Server 2008 R2, Server 2008 and Server 2003. Windows 8 and Windows 10 are not affected.

Digital Defense’s Frontline.Cloud SaaS Security Platform can scan for systems vulnerable to BlueKeep. Digital Defense strongly recommends patching systems immediately or disabling RDP on devices if it is not in use or required.

There have also been reports that in certain instances, the available patch has not “stuck”. We recommend running verification scans following any mitigation activities to validate and ensure the patching was successful.

Further details on Digital Defense’s approach to BlueKeep are provided below.


What is the bug?

Microsoft RDP uses multiple "channels" in its network protocol to handle a remote desktop connection. One of these channels is meant for internal use and isn’t meant to be one of the channels requested by a client when a connection is being established. There are, however, no mitigations in the unpatched termdd.sys to prevent a client from requesting this channel.

If the 'MS_T120' channel is requested by a client, resulting in that channel being given an ID other than 31, it results in the channel being bound multiple times, each with a unique reference. An attacker can then take steps to force one of the two MS_T120 channels to be freed, which can lead to either a use-after-free, resulting in remote code execution within the kernel, or a denial of service condition caused by forcing another call to MCSChannelClose to be made, resulting in a double-free, which will cause a Blue Screen of Death (BSOD).


How do we check for this bug?

The patch for this vulnerability introduced a response diff which can be used to determine if the vulnerability is present without triggering it. In order to perform a check for this vulnerability remotely, our scanner will fully establish a session with a target RDP service, requesting a channel with name "MS_T120" with an ID lower than 31. The scanner then sends crafted requests to the target service, and analyzes the responses. The scanner will not send packets which result in triggering a use-after-free or double-free, preventing the check from causing a crash.


How safe is this check to perform?

In our testing, the check does not cause adverse conditions against patched or unpatched systems. Additionally, our testing included running this check against systems that were at load, or under various other constraints.


Visit Microsoft for more information:

Share This