BlueKeep Vulnerability

Lock your Windows! Malicious actors can step right into your machine to wreak havoc on your system.

Are you or your organization running systems with the Windows operating system with Remote Desktop Protocol (RDP) enabled? If so, you need to check your machines and ensure they've been patched with the latest Microsoft security updates.

All security patches are important and should be applied, but this one is especially important. The BlueKeep vulnerability is "wormable", meaning it can be spread rapidly and automatically amongst unprotected systems.

This vulnerability can be exploited remotely and does not require any interaction to be successful.

Make sure to get the latest updates for your operating system!

Site last updated: May 29th, 2019

Who discovered BlueKeep?

Initial Report

BlueKeep was discovered and reported by:

Solution Creator

The organization who created the security fix:

BlueKeep in Action

In the demo, McAffee shows how an attacker can send carefully crafted packets to a machine running a vulnerable version of Microsoft's Remote Desktop Protocol (RDP) in order gain unauthorized access to the system.

Questions & Answers

If you operating system is Windows 7 or Windows Server 2008 and you are running Remote Desktop Protocol (RDP), most likely, yes.

You can check your system configuration using the following steps.

You can disable remote desktop protocol, block port "3389" at your network firewall or configure Network Level Authentication for RDP.

This will depend on the anti-virus solution and configuration. However, it's best to just apply the security patch.

Yes, Microsoft released a patch in May 2019. You can download it here.

We don't know.

ZDI published a guest blog walking through technical details behind the vulnerability. Other organizations have refrained from posting details.

There is a metasploit module to detect this vulnerability. There is no module to exploit the vulnerability.

BlueKeep is a "wormable" vulnerability meaning it can be spread rapidly and automatically amongst unprotected systems. These types of flaws are especially bad and have been recently abused in public attacks like WannaCry.

It's not entirely clear, but news articles estimate it could be more than 7 million systems.

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for Itanium-Based Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

CVE-2019-0708 is the official reference to the BlueKeep vulnerability. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

Kind of. Several anti-virus vendors have managed to create a successful exploit of the vulnerability, but no code has been published publicly.
Kevin Beaumont named the vulnerability, inspired by Game of Thrones. More importantly, BlueKeep serves as an easy way to communicate about the vulnerability.
Yes! If you want to suggest a change, issue a pull request here.

Acknowledgments

National Cyber Security Centre (NCSC) for working with Microsoft to report the vulnerability.

Microsoft for issuing a patch for the vulnerability.

McAfee for creating a video demonstration of a successful simulated attack.

Graz University of Technology for continuing the trend of marketing vulnerabilities and providing a clean template.