10
CVSSv2

CVE-2019-0708

Published: 16/05/2019 Updated: 15/07/2019
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

A vulnerability in the Remote Desktop Services component of Microsoft Windows could allow an unauthenticated, remote malicious user to execute arbitrary code on a targeted system. The vulnerability exists because the affected software improperly handles Remote Desktop Protocol (RDP) requests. An attacker could exploit the vulnerability by sending RDP connection requests that submit malicious input to the affected software. A successful exploit could allow the malicious user to execute arbitrary code and completely compromise the system. Microsoft confirmed the vulnerability and released software updates.

Vulnerability Trend

Exploits

# Exploit Title: Bluekeep Denial of Service (metasploit module) # Shodan Dork: port:3389 # Date: 07/14/2019 # Exploit Author: RAMELLA Sebastien (githubcom/mekhalleh/) # Vendor Homepage: microsoftcom # Version: all affected RDP services by cve-2019-0708 # Tested on: Windows XP (32-bits) / Windows 7 (64-bits) # CVE : 2019-0708 # I ...
import socket, sys, struct from OpenSSL import SSL from impacketstructure import Structure # I'm not responsible for what you use this to accomplish and should only be used for education purposes # Could clean these up since I don't even use them class TPKT(Structure): commonHdr = ( ('Version','B=3'), ('Reserved','B=0'), ('Length','>H= ...
#RDP Blue POC by k8gege #Local: Win7 (python) #Target: Win2003 & Win2008 (open 3389) import socket import sys import os import platform buf="" buf+="\x03\x00\x00\x13" # TPKT, Version 3, lenght 19 buf+="\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x00\x00\x00\x00" # ITU-T Rec X224 buf+="\x03\x00\x01\xd6" # TPKT, Version 3, lenght 470 buf+=" ...

Mailing Lists

Microsoft Windows Remote Desktop BlueKeep denial of service exploit ...

Github Repositories

CVE-2019-0708-POC 食用说明 IP格式:IP:端口,保存到iptxt cve-2019-0708py 100#线程

微软3389远程漏洞CVE-2019-0708批量检测工具 0x001 Win下检测 githubcom/robertdavidgraham/rdpscan C:\Users\K8team\Desktop\rdpscan-master\vs10\Release 的目录 2019/06/02 02:11 <DIR> 2019/06/02 02:11 <DIR> 2019/06/02 01:55 2,582,016 libcrypto-1_1dll 2019/06/02 01:57 619,520 libs

cve-2019-0708 CVE-2019-0708 Exploit Tool Tool exploit Remote Desktop Service with CVE-2019-0708 Video Demo: wwwyoutubecom/watch?v=SCsJ9Uq3POk

CVE-2019-0708 批量检测 0x01 前言 CVE-2019-0708 Windows RDP 远程命令执行漏洞 Windows系列服务器于2019年5月15号,被爆出高危漏洞,该漏洞影响范围较广,windows2003、windows2008、windows2008 R2、windows xp * 系统都会遭到攻击,该服务器漏洞利用方式是通过远程桌面端口3389,RDP协议进行攻击的 。CVE-2019-0708

cve-2019-0708 POC CVE-2019-0708 with python script! Video POC: wwwyoutubecom/watch?v=XVmCtUMELdU

CVE-2019-0708 Unauthenticated CVE-2019-0708 "BlueKeep" Scanner PoC by @JaGoTu and @zerosum0x0 Technical details: zerosum0x0blogspotcom/2019/05/avoiding-dos-how-bluekeep-scanners-workhtml Metasploit Module The Metasploit module has been pulled to rapid7:master msf5> use auxiliary/scanner/rdp/cve_2019_0708_bluekeep githubcom/rapid7/metasplo

CVE-2019-0708漏洞MSF批量巡检插件

CVE-2019-0708-POC cve-2019-0708 poc Run Test Work well for winxp sp3 Need test for win 7 Runtime: win10 x64 python3 PS D:\workspace\python\sqlstruct\sqlstruct\sqlstruct> python3 \pocpy -t 1921681112 -p 3389 CVE-2019-0708 Remote Detection tool by: closethe [+] Connecting to RDP server [+] Establlish connection with RDP server successful !

CVE-2019-0708-Tool Sharing the exploit publicly Contact

RDP Proof of Concept This is the proof of concept source code for CVE-2019-0708

CVE-2019-0708 Unauthenticated CVE-2019-0708 "BlueKeep" Scanner PoC by @JaGoTu and @zerosum0x0 Technical details: zerosum0x0blogspotcom/2019/05/avoiding-dos-how-bluekeep-scanners-workhtml Metasploit Module The Metasploit module has been pulled to rapid7:master msf5> use auxiliary/scanner/rdp/cve_2019_0708_bluekeep githubcom/rapid7/metasplo

CVE-2019-0708-exp

CVE-2019-0708-Vulnerability-Scanner Powershell script to run and determine if a specific device has been patched for CVE-2019-0708 This checks to see if the termddsys file has been updated appropriate and is at a version level at or greater than the versions released in the 5/14/19 patches All termddsys versions were confirmed by Qualys wwwqualyscom/research/secu

detect_bluekeeppy Python script to detect bluekeep vulnerability - CVE-2019-0708 - with TLS/SSL support Work derived from the Metasploit module written by @zerosum0x0 githubcom/zerosum0x0/CVE-2019-0708 RC4 taken from githubcom/DavidBuchanan314/rc4 Prerequisites detect_bluekeeppy requires pyasn1 and cryptography python modules Install them either via pip ins

CVE-2019-0708 Big shout out to the Dox King Krebs and also the thief of inventions and all-purpose fraud, Kevin wwwyoutubecom/watch?v=dQw4w9WgXcQ

CVE-2019-0708-PoC-Exploit CVE-2019-0708 PoC Exploit HI Kevin Beaumont (@GossiTheDog) ! :) Sorry, couldn't resist!

CVE-2019-0708 Totally legitimate 100% legitimate PoCs for CVE-2019-0708

rdp0708scanner This is a CVE-2019-0708 scanner wrapper for the single thread 0708Detector, it dose a safe scan on a single or list of IPs Usage python rdp0708scannerpy -t ip-address -f iplst [-p port] [-x threads] [-v]

CVE-2019-0708 The following websites are all cheaters, mainly to cheat Bitcoin, so that you can download a fake website Then tell you to transfer Bitcoin and automatically send you the decompression password After you transfer Bitcoin, he will not give you any reply You must not be deceived Some deceptive information about cheaters: Website: cve-2019-0708com Email:

CVE-2019-0708-PoC CVE-2019-0708-PoC We are working for a fully functional exploit Here there are Pseudocodes and Notes

CVE-2019-0708-Vulnerability-Scanner Powershell script to run and determine if a specific device has been patched for CVE-2019-0708 This checks to see if the termddsys file has been updated appropriate and is at a version level at or greater than the versions released in the 5/14/19 patches All termddsys versions were confirmed by Qualys wwwqualyscom/research/secu

CVE-2019-0708 CVE-2019-0708 python3 check 0708 A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests This vulnerability is pre-authentication and requires no user interaction An attacker who success

CVE-2019-0708poc 根据360Vulcan Team开发的CVE-2019-0708单个IP检测工具构造了个批量检测脚本而已 只写了个单线程的。。还没时间弄多线程。。

cve-2019-0708-scan iptxt保存网段: 19216810 12716820

CVE-2019-0708 Unauthenticated CVE-2019-0708 "BlueKeep" Scanner PoC by @JaGoTu and @zerosum0x0 Metasploit module PR: githubcom/rapid7/metasploit-framework/pull/11869 In this repo A scanner fork of rdesktop that can detect if a host is vulnerable to CVE-2019-0708 Microsoft Windows Remote Desktop Services Remote Code Execution vulnerability It shouldn't

BlueKeepScan Simple wrapper over PoC from @zerosum0x0 for checking CVE-2019-0708 in large network in multithreading Prepare First of all you shouldn download and install original: git clone githubcom/zerosum0x0/CVE-2019-0708git cd CVE-2019-0708/rdesktop-fork-bd6aa6acddf0ba640a49834807872f4cc0d0a773/ /bootstrap /configure --disable-credssp --disable-smartcard make

CVE-2019-0708-poc CVE-2019-0708 远程代码执行漏洞批量检测 3389_hosts为待检测IP地址清单,一行一个 pool = ThreadPool(10) 为自定义扫描线程 注意 Windows python3环境 使用 编辑3389_hosts,将待检测的IP地址写入文件,一行一个 命令行切换到代码所在的目录,运行python cve-2019-0708py

CVE-2019-0708-POC Working proof of concept for CVE-2019-0708, spawns remote shell Run with python3, Example python3 CVE-2019-0708-windowspy Different versions are required for linux and Windows Obfuscated for obvious reasons

bluekeep Public work for CVE-2019-0708

bluekeep Public work for CVE-2019-0708

BlueKeep Scanner A proof-of-concept scanner to determine system vulnerability to CVE-2019-0708 Acknowledgements This is a Python port of the original metasploit module scanner by JaGoTu and zerosum0x0, available on Github here

CVE-2019-0708-poc 第一时间 更新EXP 坐等大佬更新

CVE-2019-0708-PoC Windows RPD Exploit Psych

bluekeep_CVE-2019-0708_poc_to_exploit Porting BlueKeep PoC from @Ekultek & @umarfarook882 to actual exploits Script kiddies are not welcomed here as at anywhere else Please read the through theissues (both closed and open beofre posting stuff like "It doesn't work", "Nothing happened after I ran the script", or "Error (without being speci

Bluekeep PoC This repo contains research concerning CVE-2019-0708 Bluekeep or CVE-2019-0708 is an RCE exploit that effects the following versions of Windows systems: Windows 2003 Windows XP Windows Vista Windows 7 Windows Server 2008 Windows Server 2008 R2 The vulnerability occurs during pre-authorization and has the potential to run arbitrary malicious code in the NT Author

rdpscan for CVE-2019-0708 bluekeep vuln This is a quick-and-dirty scanner for the CVE-2019-0708 vulnerability in Microsoft Remote Desktop Right now, there are about 900,000 machines on the public Internet vulnerable to this vulnerability, so many are expect a worm soon like WannaCry and notPetya Therefore, scan your networks and patch (or at least, enable NLA) on vulnerable s

At least learn some tangible fucking English you skid bots

RDS_CVE-2019-0708

CVE-2019-0708 Goby support CVE-2019-0708 "BlueKeep" vulnerability check Respect to @JaGoTu and @zerosum0x0 How to use Download Goby gobiesorg/ Download and instrall npcap nmaporg/npcap/ Scan network of 3389 port ScreenShots About Goby Goby - Make Cybersecurity More Effective The new generation of network security technology achieves rapid secur

CVE-2019-0708 攻击者在没有任何授权的情况下,可以远程直接攻击操作系统开放的3389服务,此漏洞是预身份验证,无需用户交互。可能演变为类似wanncry的蠕虫病毒。 受影响系统: Windows 7,windows-Server 2008 R2和Windows Server 2008,windows-Xp,windows 2003 防范:避免将远程桌面服务(RDP,默认端口为3389

bluekeep Public work for CVE-2019-0708

CVE-2019-0708-PoC-Hitting-Path Really Really Bad, don't judge this code hahaha (it's terrible) It's only hitting vulnerable path in termddsys!!! NOT DOS Tested only on Windows XP Sp3 x86, Windows 7 will need negotiation part probably so it won't work (I hope that work at all) Maybe it will be useful for exploit development

CVE-2019-0708 sup pry0cc :3 test: vote for thugcrowd in eu cyber something or other

BKScan BlueKeep (CVE-2019-0708) scanner that works both unauthenticated and authenticated (ie when Network Level Authentication (NLA) is enabled) Requirements: A Windows RDP server If NLA is enabled on the RDP server, a valid user/password that is part of the "Remote Desktop Users" group It is based on FreeRDP and uses Docker to ease compilation/execution It sho

CVE-2019-0708 From Infiniti Team - VinCSS (A member of Vingroup)

Leaving for a wedding tomorrow, if I can't find anything then someone else take the reins Going to drop the crash PoC here Friday if there isnt one public already Maybe the following week, depending on if the vulnerable numbers drop consistently or not vimeocom/339425966 I'm not responsible for what you use this to accomplish and should only be used for e

66 61 74 74 2e fingerprint all the things! More info about the fingerprinting methods, sample use-cases and research results will be added to the repo soon Stay tuned! A script for extracting network metadata and fingerprints such as JA3 and HASSH from packet capture files (pcap) or live network traffic The main use-case is for monitoring honeypots, but you can also use it

CVE-2019-0708-Learning just for fun Screenshot Reference securingtomorrowmcafeecom/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/ docsmicrosoftcom/en-us/openspecs/windows_protocols/ms-rdpbcgr/18a27ef9-6f9a-4501-b000-94b1fe3c2c10 docsmicrosoftcom/en-us/openspecs/windows_protocols/m

Remote-Desktop-Services-Remote-Code-Execution-Vulnerability-CVE-2019-0708- rce exploit , made to work with pocsuite3

CVE-2019-0708

CVE-2019-0708 CVE-2019-0708 - A Win7 RDP exploit Sidenote: why?

At least learn some tangible fucking English you skid bots

CVE-2019-0708-EXPloit-3389 远程桌面(RDP)服务远程代码执行漏洞CVE-2019-0708

Python nmap Scripts are example of use of python nmap and possibility to integrate it with other python module like Metasploit or ServiceNow Alone it can provide clear report, without needed to parser or formatting it after scan finished Script also improve speed and reliability by scan phases and some other additional functions List of scripts: cisco_SIE_Scanpy - Discover

CVE-2019-0708 The Crashing Part [BSOD] has been removed intentionally! A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests This vulnerability is pre-authentication and requires no user int

CVE-2019-0708-generate-hosts 本程序使用nmap扫描3389_cidrs文件里面所列的CIDR地址(每行一个),生成3389_hosts文件,里面是可能的Windows开了3389远程桌面的机器IP地址,可以极大减少接下来的检测IP量。 依赖 python3、nmap 运行 将CIDR写入3389_cidrs,运行/generatepy。生成的3389_hosts可用来联系管理员或者

CVE-2019-0708-Batch-Blue-Screen 改写某大佬写的0708蓝屏脚本 改为网段批量蓝屏 使用方法: python3 pocpy 19216820 64 对 19216820 网段内的的所有主机 1-255 批量攻击蓝屏 根据自己所在网段相应的修改即可

CVE-2019-0708 Unauthenticated CVE-2019-0708 "BlueKeep" Scanner PoC by @JaGoTu and @zerosum0x0 Metasploit module PR: githubcom/rapid7/metasploit-framework/pull/11869 In this repo A scanner fork of rdesktop that can detect if a host is vulnerable to CVE-2019-0708 Microsoft Windows Remote Desktop Services Remote Code Execution vulnerability It shouldn't

cve-2019-0708-exp Exp from Korea I think you'll like itXP is coming Win7 is coming too Will Linux be far away?

CVE-2019-0708 Proof of concept exploit for CVE-2019-0708 Coming soon areusecurese?CVE-2019-0708

CVE-2019-0708 PoC exploit for BlueKeep (CVE-2019-0708) Usage: /PoCpy [TARGET IP] [PORT](defaults to 3389)

CVE-2019-0708-PoC CVE-2019-0708-PoC We are working for a fully functional exploit Here there are Pseudocodes and Notes

CVE-2019-0708 CVE-2019-0708批量蓝屏恶搞 测试环境:win7 、win2008、win2008r2 用法: python blue_keeppy -u /你的文件txt -b 64(电脑系统位数)

CVE-2019-0708-exploit-RCE The exploit working on python 27 CVE-2019-0708 Description A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'

CVE-2019-0708-Exploit Using CVE-2019-0708 to Locally Promote Privileges in Windows 10 System

CVE-2019-0708-poc CVE-2019-0708 远程代码执行漏洞批量检测 3389_hosts为待检测IP地址清单,一行一个 pool = ThreadPool(10) 为自定义扫描线程 注意 Windows python3环境 使用 编辑3389_hosts,将待检测的IP地址写入文件,一行一个 命令行切换到代码所在的目录,运行python cve-2019-0708py

CVE-2019-0708 Unauthenticated CVE-2019-0708 "BlueKeep" Scanner PoC by @JaGoTu and @zerosum0x0 Technical details: zerosum0x0blogspotcom/2019/05/avoiding-dos-how-bluekeep-scanners-workhtml Metasploit Module The Metasploit module has been pulled to rapid7:master msf5> use auxiliary/scanner/rdp/cve_2019_0708_bluekeep githubcom/rapid7/metasplo

CVE-2019-0708 CVE-2019-0708 cssxn 记住此人肮脏的嘴巴 是的,昨天开了个玩笑。玩的开心

CVE-2019-0708 - BlueKeep (RDP) RDP Connection Sequence: docsmicrosoftcom/en-us/openspecs/windows_protocols/ms-rdpbcgr/023f1e69-cfe8-4ee6-9ee0-7e759fb4e4ee Analysis of RDP Service Vulnerability: wwwzerodayinitiativecom/blog/2019/5/27/cve-2019-0708-a-comprehensive-analysis-of-a-remote-desktop-services-vulnerability Please, check the above two link to understan

CVE-2019-0708漏洞MSF批量巡检插件

CVE-2019-0708 [BlueKeep] Exploit CVE-2019-0708 RCE and Crash Exploit using Python Crash Exploit [Published] Usage: python3 crashexploitpy 127001 64 RCE Exploit [Not Published] Usage: python3 exploitrcepy 127001 payload

cve-2019-0708 crash poc

CVE-2019-0708 蓝屏poc Windows 7 64位 已经测试〜 命令:python crashpocpy ip 64 githubcom/n1xbyte/CVE-2019-0708/ Leaving for a wedding tomorrow, if I can't find anything then someone else take the reins Going to drop the crash PoC here Friday if there isnt one public already Maybe the following week, depending on if the vulnerable numbers drop consi

Mass-scanner-for-CVE-2019-0708-RDP-RCE-Exploit This script is written to improve this PoC script githubcom/zerosum0x0/CVE-2019-0708 rdesktop binary was taking too long to timeout so i want it to timeout quicker Multiple ip scan was not possible now you can scan a given ip list Example Run python3 scriptpy rdesktop rdp_ip_list -o vuln_ips For further information please

CVE-2019-0708 PoC Shellcode only tested on x86 versions of Windows thus far Be responsible and only use this with good intentions

bluekeep_CVE-2019-0708_poc_to_exploit Porting BlueKeep PoC from @Ekultek & @umarfarook882 to actual exploits Script kiddies are not welcomed here as at anywhere else Please read the through theissues (both closed and open beofre posting stuff like "It doesn't work", "Nothing happened after I ran the script", or "Error (without being speci

CVE-2019-0708 Have fun

CVE-2019-0708 Our website:buyexploitcom CVE-2019-0708 RDP Remote Code Execute Exploit Support:WINXP/WIN7/WIN2K3/WIN2K8/WIN2K8R2 Mail To :buyexploit@protonmailcom website:buyexploitcom Buy the Exploit please visit website:wwwbuyexploitcom video:youtube/vxgB5qZ_OEs

CVE-2019-0708 CVE-2019-0708

CVE-2019-0708 先创建一个等大佬来我在更新

SwitHak Who am i ? Hello, I am a french #security professionnal interested in #cybersecurity issues and other content related to the previous theme! Spoken languages: EN, FR My motto No system is truly secure, if the attacker has time and ressources, he can compromises your information system! Social You can find me on Twitter: @SwitHak My Work CVE-2019-0708 aka BlueKee

CVE-2019-0708 CVE-2019-0708 Sorry Everyone This is our team's testing program, not click bait If you think we have others purpose, reconsider yourself If you want to busfame, I don't care Thanks @testanull, sorry for my English I don't understand what people want in this repo?

Recent Articles

Most Cyber Attacks Focus on Just Three TCP Ports
BleepingComputer • Ionut Ilascu • 17 Sep 2019

Small to mid-sized businesses can keep safe from most cyber attacks by protecting the ports that threat actors target the most. Three of them stand out in a crowd of more than 130,000 targeted in cyber incidents.
A report from threat intelligence and defense company Alert Logic enumerates the top weaknesses observed in attacks against over 4,000 of its customers.
According to the report, the ports most frequently used to carry out an attack are 22, 80, and 443, which correspond to SS...

Microsoft Addresses Two Zero-Days Under Active Attack
Threatpost • Tara Seals • 10 Sep 2019

Two elevation-of-privilege vulnerabilities that have been exploited in the wild as zero-days are at the heart of September’s Patch Tuesday update from Microsoft.
The two EoP vulnerabilities under active attack consist of CVE-2019-1214, which exists in the Windows Common Log File System (CLFS) Driver; and CVE-2019-1215, which impacts the Winsock IFS Driver (ws2ifsl.sys).
“Both flaws exist due to improper handling of objects in memory by the respective drivers,” said Satnam Naran...

Public BlueKeep Exploit Module Released by MetaSploit
BleepingComputer • Sergiu Gatlan • 06 Sep 2019

A public exploit module for the BlueKeep Windows vulnerability has been added today to the open-source Metasploit penetration testing framework, developed by Rapid7 in collaboration with the open-source community.
BlueKeep is a wormable remote code execution (RCE) security flaw discovered in the Windows Remote Desktop Protocol (RDP) service which enables unauthenticated attackers to run arbitrary code remotely, to launch denial of service attacks, and, in some cases, to take full con...

How to Get a Handle on Patch Management
Threatpost • Tom Spring • 03 Sep 2019

Patch management is a thankless job. Data shows, despite best efforts, that 80 percent of enterprise applications have at least one unpatched vulnerability in them, according research by Veracode.
It is not for lack of trying that vulnerabilities persist. Last year 16,500 vulnerabilities were reported, making patching each one nearly an impossible task for any one company. Perhaps it shouldn’t be a surprise that Windows patching times appear to be moving in the wrong direction. According...

IT threat evolution Q2 2019. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Boris Larin Oleg Kupreev Evgeny Lopatin • 19 Aug 2019

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
According to Kaspersky Security Network,
Q2 2019 will be remembered for several events.
First, we uncovered a large-scale financial threat by the name of Riltok, which targeted clients of not only major Russian banks, but some foreign ones too.
Second, we detected the new Trojan.AndroidOS.MobOk malware, tasked with stealing money from mobil...

Microsoft Fixes Critical Windows 10 Wormable Remote Desktop Flaws
BleepingComputer • Sergiu Gatlan • 13 Aug 2019

Microsoft released patches for two new critical remote code execution (RCE) vulnerabilities found in the Remote Desktop Services (RDS) and affecting all in-support versions of Windows.
Users are urged to patch by the Microsoft Security Response Center (MSRC) to patch the newly found Windows security flaws as soon as possible due to the elevated risks associated with wormable vulnerabilities.
The two critical RCE flaws are tracked s CVE-2019-1181 and CVE-2019-1182, and just like "...

APT trends report Q2 2019
Securelist • GReAT • 01 Aug 2019

For two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They aim to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activiti...

Fearing WannaCry-Level Danger, Enterprises Wrestle with BlueKeep
Threatpost • Tara Seals • 29 Jul 2019

The nightmare vision of a “mega-worm” global BlueKeep infection could be closer to becoming reality as working exploits are now becoming available to the public, and there’s evidence that adversaries are actively scanning for the vulnerability.
Researchers weighed in with Threatpost about how enterprises can thwart the critical Windows remote code-execution (RCE) vulnerability, even if immediate patching is too large an ask.
By way of background, the BlueKeep vulnerability (CVE...

BlueKeep RCE Exploit Module Added to Penetration Testing Tool
BleepingComputer • Sergiu Gatlan • 25 Jul 2019

Security outfit Immunity has included a fully working BlueKeep exploit in their CANVAS automated pentesting utility with the release of version 7.23, on July 23.
BlueKeep is a remote code execution (RCE) vulnerability present in the Windows Remote Desktop Protocol (RDP) service which enables remote unauthenticated attackers to run arbitrary code, to launch denial of service attacks, and, potentially, to take control of vulnerable systems.
While the news of a publicly available RCE ...

With more hints dropped online on how to exploit BlueKeep, you've patched that Windows RDP flaw, right?
The Register • Shaun Nichols in San Francisco • 24 Jul 2019

Someone just revealed the tricky kernel heap spray part

Vital clues on how to exploit the notorious Windows RDP bug, aka CVE-2019-0708 aka BlueKeep, and hijack vulnerable boxes, emerged online this week.
The growing number of hints can be used by folks to develop working code that attacks Microsoft's Remote Desktop Services software, on Windows XP through to Server 2008, and gains kernel-level code execution without any authentication or user interaction. You just need to be able to reach a vulnerable RDP server across the network or internet.<...

BlueKeep Scanner Discovered in Watchbog Cryptomining Malware
BleepingComputer • Sergiu Gatlan • 24 Jul 2019

A new Watchbog malware variant can scan for Windows computers vulnerable to BlueKeep exploits, with previous variants only being utilized to infect Linux servers compromised using Jira, Exim, Nexus Repository Manager 3, ThinkPHP, and Solr Linux exploits.
"Among the new Linux exploits, this version of WatchBog implements a BlueKeep RDP protocol vulnerability scanner module, which suggests that WatchBog is preparing a list of vulnerable systems to target in the future or to sell to th...

BlueKeep patching isn’t progressing fast enough
welivesecurity • Tomáš Foltýn • 17 Jul 2019

As of early July, more than 805,000 internet-facing systems remained susceptible to the BlueKeep security vulnerability, the news of which spooked the internet two months ago and prompted a flurry of alerts urging users and organizations to patch the critical flaw post-haste.
The tally, released today by cybersecurity ratings company BitSight, also shows that the number of vulnerable public-facing machines fell by 17 percent between May 31st and July 2nd, after the firm’s previous estima...

Wormable BlueKeep Bug Still Threatens Legions of Windows Systems
Threatpost • Tara Seals • 17 Jul 2019

For the past two months, security researchers have been sounding the alarm about BlueKeep, a critical remote code-execution vulnerability in Microsoft Windows that researchers said could lead to a “mega-worm” global infection. As of July 2, approximately 805,665 systems remain online that are vulnerable to BlueKeep, according to a status update.
The number of susceptible systems represents a decrease of 17.18 percent (167,164 systems) compared to May 31, including 92,082 systems which ...

BlueKeep Warnings Pay Off, Boost Patching in Enterprise Networks
BleepingComputer • Ionut Ilascu • 21 Jun 2019

The multiple warnings about patching Windows systems against the BlueKeep vulnerability (CVE-2019-0708) have not gone unheeded. Administrators of enterprise networks listened and updated most of the machines affected by the issue.
BlueKeep exists in the Remote Desktop Protocol (RDP) on older Windows releases that are still supported (Windows 7, Windows Server 2008 R2, and Windows Server 2008) as well as on OS versions that reached end-of-life status (Windows XP, Windows Server 2003).
...

Working BlueKeep Exploit Developed by DHS
Threatpost • Lindsey O'Donnell • 18 Jun 2019

The Department of Homeland Security has confirmed it has developed a working exploit for the “wormable” BlueKeep vulnerability. The agency issued an alert on Monday urging Windows users to update their machines as soon as possible.
The alert heightens concerns that malicious actors could soon also develop their own exploits of the BlueKeep flaw. The critical remote code execution vulnerability (CVE-2019-0708), though fixed during Microsoft’s May Patch Tuesday Security Bulletin, cont...

U.S. Govt Achieves BlueKeep Remote Code Execution, Issues Alert
BleepingComputer • Sergiu Gatlan • 17 Jun 2019

The Cybersecurity and Infrastructure Security Agency (CISA) published an alert for Windows users to patch the critical severity Remote Desktop Services (RDS) RCE security flaw known as BlueKeep.
The Department of Homeland Security's CISA says in the alert issued today that it has achieved remote code execution on a computer running a vulnerable version of Windows 2000.
This is the fourth warning for users to patch or upgrade their systems after two others from Microsoft [1, 2] a...

Finding Windows Systems Affected by BlueKeep Remote Desktop Bug
BleepingComputer • Lawrence Abrams • 11 Jun 2019

On last month's Patch Tuesday, Microsoft announced that a vulnerability in Remote Desktop Services was discovered that could allow a wormable malware, such as a ransomware, to easily propogate through vulnerable systems.
This vulnerability, now known as BlueKeep, was given the unique ID of CVE-2019-0708 and affects Windows 7, Windows 2008 R2, Windows Server 2008, Windows XP, and Windows Server 2003. Due to its severity, Microsoft released patches for all supported versions of Windows as we...

Forget BlueKeep: Beware the GoldBrute
Threatpost • Tara Seals • 07 Jun 2019

While everyone’s talking about the BlueKeep Mega-Worm, this is not the main monster to fear, according to recent web attack activity. Rather, a researcher is warning that the GoldBrute botnet poses the greatest threat to Windows systems right now.
In the past few days, GoldBrute (named after the Java class it uses) has attempted to brute-force Remote Desktop Protocol (RDP) connections for 1.5 million Windows systems and counting, according to Morphus Labs chief research officer Renato Ma...

NSA joins chorus urging Windows users to patch ‘BlueKeep’
welivesecurity • Tomáš Foltýn • 06 Jun 2019

The United States’ National Security Agency (NSA) has issued a rare alert urging Windows users and administrators to waste no time in patching the critical ‘BlueKeep’ security flaw in older Windows systems.
“This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability,” reads the NSA’s advisory.
It also specifically highlights BlueKeep’s ‘wormable’ nature and draws paral...

BlueKeep ‘Mega-Worm’ Looms as Fresh PoC Shows Full System Takeover
Threatpost • Tara Seals • 05 Jun 2019

A researcher has created a proof-of-concept Metasploit module for the critical BlueKeep vulnerability, which successfully demonstrates how to achieve complete takeover of a target Windows machine.
Reverse engineer Zǝɹosum0x0 tweeted about his success on Tuesday, noting that he plans to keep the module private given the danger that a working exploit could pose to the vast swathe of unpatched systems out there. He also released a video showing a remote code-execution (RCE) exploit working ...

MetaSploit Module Created for BlueKeep Flaw, Private for Now
BleepingComputer • Ionut Ilascu • 05 Jun 2019

A researcher has created a module for the Metasploit penetration testing framework that exploits the critical BlueKeep vulnerability on vulnerable Windows XP, 7, and Server 2008 machines to achieve remote code execution.
BlueKeep is a critical flaw in Remote Desktop Services that affects Windows 7 and Server 2008, as well as the unsupported Windows XP and Server 2003.
It is tracked as CVE-2019-0708 and Microsoft released a fix for it on May 14. A micropatch is available, too, for sy...

Remote Desktop Zero-Day Bug Allows Attackers to Hijack Sessions
BleepingComputer • Ionut Ilascu • 04 Jun 2019

A new zero-day vulnerability has been disclosed that could allow attackers to hijack existing Remote Desktop Services sessions in order to gain access to a computer.
The flaw can be exploited to bypass the lock screen of a Windows machine, even when two-factor authentication (2FA) mechanisms such as Duo Security MFA are used. Other login banners an organization may set up are also bypassed.
The issue is now tracked as CVE-2019-9510 and is described as an authentication bypass using a...

Microsoft Warns Users Again to Patch Wormable BlueKeep Flaw
BleepingComputer • Sergiu Gatlan • 31 May 2019

Microsoft issued a second warning for users of older Windows releases to patch their systems to block potential attackers from abusing the critical Remote Desktop Services (RDS) remote code execution vulnerability dubbed BlueKeep.
The first time, Microsoft issued a security fix designed to protect Windows computers running vulnerable RDS installations and block any malware capable of exploiting the flaw tracked as CVE-2019-0708 and of propagating between unpatched machines.
This sec...

Two weeks after Microsoft warned of Windows RDP worms, a million internet-facing boxes still vulnerable
The Register • Shaun Nichols in San Francisco • 28 May 2019

If you haven't patched CVE-2019-0708 aka BlueKeep, then, well, now would be a good time

The critical Windows Remote Desktop flaw that emerged this month may have set the stage for the worst malware attack in years.
The vulnerability, designated CVE-2019-0708 and dubbed BlueKeep, can be exploited by miscreants to execute malicious code and install malware on vulnerable machines without the need for any user authentication: a hacker simply has to be able to reach the box across the internet or network in order to commandeer it.
It is said to be a "wormable" security hole ...

One Million Devices Open to Wormable Microsoft BlueKeep Flaw
Threatpost • Lindsey O'Donnell • 28 May 2019

One million devices are still vulnerable to BlueKeep, a critical Microsoft bug with “wormable” capabilities, almost two weeks after a patch was released.
The flaw (CVE-2019-0708) was fixed during Microsoft’s May Patch Tuesday Security Bulletin earlier this month. System administrators were urged to immediately deploy fixes as the flaw could pave the way for a similar rapidly-propogating attack on the scale of WannaCry.
Despite that, researchers on Tuesday warned that one milli...

BlueKeep RCE Flaw Gets Micropatch for Always-On Servers
BleepingComputer • Sergiu Gatlan • 24 May 2019

The 0patch platform issued a fix for the Remote Desktop Services RCE vulnerability known as BlueKeep, in the form of a 22 instructions micropatch which can be used to protect always-on servers against exploitation attempts.
The critical software flaw tracked as CVE-2019-0708 and present in both in-support (Windows Server 2008 and Window 7) and out-of-support (Windows 2003 and Window XP) was already patched by Microsoft on May 14, after the vulnerability was disclosed.
However, unl...

Patch now! Why the BlueKeep vulnerability is a big deal
welivesecurity • Ondrej Kubovič • 22 May 2019

Remember the panic that hit organizations around the world on May 12th, 2017 when machine after machine displayed the WannaCryptor ransom screen? Well, we might have a similar incident on our hands in the coming days, weeks or months if companies don’t update or otherwise protect their older Windows systems right away. The reason is BlueKeep, a ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading ...

Researchers Demo PoC For Remote Desktop BlueKeep RCE Exploit
BleepingComputer • Sergiu Gatlan • 22 May 2019

A proof-of-concept remote code execution (RCE) exploit for the wormable BlueKeep vulnerability tracked as CVE-2019-0708 has been demoed by security researchers from McAfee Labs.
Microsoft issued a security fix on May 14 to patch the critical vulnerability on both out-of-support and in-support Windows version, describing the bug as capable to allow malware to self-propagate between vulnerable Windows machines, just "as the WannaCry malware spread across the globe in 2017." 
The ...

Sophos tells users to roll back Microsoft's Patch Tuesday run if they want PC to boot
The Register • Gareth Corfield • 20 May 2019

Yes, the one with the critical security fixes

Brit security software slinger Sophos has advised its customers to uninstall Microsoft's most recent Patch Tuesday run – the same patches that protect servers against the latest Intel cockups.
In an advisory note published over the weekend, Sophos admitted the latest batch of Windows updates are causing the machines of some people using its AV wares to hang on boot, getting stuck while displaying the line "Configuring 30%".
"We have currently only identified the issue on some custo...

BlueKeep Remote Desktop Exploits Are Coming, Patch Now!
BleepingComputer • Ionut Ilascu • 20 May 2019

Update [05.21.2019]: Using information from their research and from public scripts, security professionals at NCC Group have created a network detection rule for CVE-2019-0708. After testing with Suricata IDS/IPS, NCC Group made it publicly available.
Security researchers have created exploits for the remote code execution vulnerability in Microsoft's Remote Desktop Services, tracked as CVE-2019-0708 and dubbed BlueKeep, and hackers may not be far behind.
While the vulnerability i...

Microsoft Patch Tuesday – May 2019
Symantec Threat Intelligence Blog • Ratheesh PM • 15 May 2019

This month the vendor has patched 79 vulnerabilities, 22 of which are rated Critical.

Posted: 15 May, 201924 Min ReadThreat Intelligence SubscribeFollowtwitterfacebooklinkedinMicrosoft Patch Tuesday – May 2019This month the vendor has patched 79 vulnerabilities, 22 of which are rated Critical.As always, customers are advised to follow these security best practices:


Install vendor patches as soon as they are available.
Run all software with the least privileges required while still maintai...

Microsoft emits free remote-desktop security patches for WinXP to Server 2008 to avoid another WannaCry
The Register • Iain Thomson in San Francisco • 15 May 2019

Plus plenty of other fixes from Redmond and Adobe – and special guest star Citrix

Patch Tuesday It’s that time of the month again, and Microsoft has released a bumper bundle of security fixes for Patch Tuesday, including one for out-of-support operating systems Windows XP and Server 2003.
Usually support for such aging operating systems costs an arm and a leg, though Redmond has released a freebie because of the serious nature of the critical flaw, assigned CVE-2019-0708, in Remote Desktop Services, or Terminal Services as it was. The vulnerability allows remote code ...

Microsoft Patches Zero-Day Bug Under Active Attack
Threatpost • Tom Spring • 14 May 2019

Microsoft has released a patch for an elevation-of-privileges vulnerability rated important, which is being exploited in the wild.
The bug fix is part of Microsoft’s May Patch Tuesday Security Bulletin. It’s tied to the Windows Error Reporting feature and is being abused by attackers who have gained local access to affected PCs. They are able to trigger arbitrary code-execution in kernel mode — resulting in a complete system compromise.
“They would need to first gain access t...

Microsoft Fixes Critical Remote Desktop Flaw, Blocks Worm Malware
BleepingComputer • Sergiu Gatlan • 14 May 2019

Microsoft patched today a critical Remote Code Execution (RCE) vulnerability found in the Remote Desktop Services (RDS) platform which can allow malicious actors to create malware designed to propagate between computers running vulnerable RDS installations.
According to Microsoft's Windows IT Pro Center, "Remote Desktop Services (RDS) is the platform of choice for building virtualization solutions for every end customer need, including delivering individual virtualized applications, p...