Category Archives: RDP

0patch issued a micropatch to address the BlueKeep flaw in always-on servers

0patch, released a security patch to address the BlueKeep vulnerability, that can be deployed by administrators to protect always-on servers.

Microsoft Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including an RDS vulnerability dubbed BlueKeep that can be exploited to carry out WannaCry-like attack.

The issue is a remote code execution flaw in Remote Desktop Services (RDS) that it can be exploited by an unauthenticated attacker by connecting to the targeted system via the RDP and sending specially crafted requests.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The vulnerability doesn’t affect Windows 8 and Windows 10, anyway previous versions are exposed to the risk of cyber attacks.

Microsoft also advised Windows Server users to block TCP port 3389 and enable Network Level Authentication to prevent any unauthenticated attacker from exploiting this vulnerability.

Experts at 0patch, released a security patch to address the BlueKeep vulnerability, it is a tiny micro-patch composed of 22 instructions that can be deployed by administrators to protect always-on servers.

The main difference with the patch released by Microsoft is that the 0patch’s micropatch

However, unlike Microsoft’s security fix, 0patch’s micropatch does not require rebooting, the deployment of security updates on always-on servers sometimes is deployed because normally it is not possible to restart them without following specific procedures.

At the time the fix only works on systems running 32-bit Windows XP SP3, anyway, the expert plan to port it to Server 2003 and other versions.

0patch confirmed that the released code is a PRO-only micropatch, this means that only PRO users will automatically have it applied within 60 minutes or upon manual sync.

Several security experts have developed PoC exploits for wormable BlueKeep Windows RDS, including McAfee Labs’ researchers that also provided extra mitigation measures. McAfee experts suggest:

  • Disable RDP is not needed, anyway, limit it only internally if necessary.
  • Client requests with “MS_T120” on any channel other than 31 during GCC Conference Initialization sequence of the RDP protocol should be blocked unless there is evidence for legitimate use case.

Don’t waste time, patch your system against the BlueKeep vulnerability asap, it is a matter of time that hacker will start to exploit the issue in attacks in the wild.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – BlueKeep, hacking)

The post 0patch issued a micropatch to address the BlueKeep flaw in always-on servers appeared first on Security Affairs.

If you haven’t yet patched the BlueKeep RDP vulnerability, do so now

There is still no public, working exploit code for CVE-2019-0708, a flaw that could allow an unauthenticated remote attacker to execute remote code on a vulnerable target running Remote Desktop Protocol (RDP). But, as many infosec experts have noted, we’re not far off from when one is created and leveraged by attackers in the wild. With the vulnerability being wormable, when it hits, the exploit could end up compromising millions of systems around the world, … More

The post If you haven’t yet patched the BlueKeep RDP vulnerability, do so now appeared first on Help Net Security.

CVE-2019-0708 – A Critical “Wormable” Remote Code Execution Vulnerability in Windows RDP

This is an important security advisory related to a recently patched Critical remote code execution vulnerability in Microsoft Windows Remote Desktop Service (RDP). The vulnerability is identified as “CVE-2019-0708 – Remote Desktop Services Remote Code Execution Vulnerability”. MSRC blog mentions This vulnerability is pre-authentication and requires no user interaction. In other…

Microsoft Patch Tuesday addresses dangerous RDS flaw that opens to WannaCry-like attacks

Microsoft Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including an RDS flaw allowing WannaCry-Like attacks.

Microsoft Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including a Windows zero-day flaw and an RDS vulnerability that can be exploited to carry out WannaCry-like attack.

The zero-day vulnerability addressed by Microsoft Patch Tuesday updates for May 2019 is a privilege escalation flaw related to the way the Windows Error Reporting (WER) system handles files. The vulnerability tracked as CVE-2019-0863 could be exploited by an attacker with low-privileged access to the targeted system to deliver a malware.

“An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with administrator privileges.” reads the security advisory published by Microsoft.

“To exploit the vulnerability, an attacker must first gain unprivileged execution on a victim system.”

The vulnerability was reported by experts at Palo Alto Networks and an expert who online with the moniker “Polar Bear.”

RDP flaw Microsoft Patch Tuesday

Microsoft Patch Tuesday updates for May 2019 also addresses a remote code execution flaw in Remote Desktop Services (RDS). The flaw tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker by connecting to the targeted system via the Remote Desktop Protocol (RDP) and sending specially crafted requests.

“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.” reads the security advisory published by Microsoft. “This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

“To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.”

It is important to highlight that the RDP itself is not vulnerable.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities. It could be exploited by unautheticated attacker and without users interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The thought is for the WannaCry attack.

“This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.” reads a blog post published by Microsoft. “While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

The vulnerability doesn’t affect Windows 8 and Windows 10, anyway previous versions are exposed to the risk of cyber attacks.

Microsoft Patch Tuesday updates for May 2019 also address vulnerabilities in Windows OS, Internet Explorer, Edge, Microsoft Office, and Microsoft Office Services and Web Apps, ChakraCore, .NET Framework, and ASP.NET, Skype for Android, Azure DevOps Server, and the NuGet Package Manager.

Microsoft released security updates for Windows 7, Windows Server 2008 R2, and Windows Server 2008, The tech giant has also separately released patches for out-of-support versions of Windows such as Windows 2003 and Windows XP.

18 vulnerabilities have been rated as critical and rest Important in severity. 

Microsoft also advised Windows Server users to block TCP port 3389 and enable Network Level Authentication to prevent any unauthenticated attacker from exploiting this vulnerability.

Pierluigi Paganini

(SecurityAffairs – Windows, RDP)

The post Microsoft Patch Tuesday addresses dangerous RDS flaw that opens to WannaCry-like attacks appeared first on Security Affairs.

Microsoft plugs wormable RDP flaw, new speculative execution side channel vulnerabilities

For May 2019 Patch Tuesday, Microsoft has released fixes for 79 vulnerabilities, 22 of which are deemed critical. Among the fixes is that for CVE-2019-0708, a “wormable” RDP flaw that is expected to be weaponised by attackers very soon. About CVE-2019-0708 It’s a remote code execution vulnerability in Remote Desktop Services (formerly known as Terminal Services) that allows unauthenticated attackers to connect to the target system using RDP and send specially crafted requests. The flaw … More

The post Microsoft plugs wormable RDP flaw, new speculative execution side channel vulnerabilities appeared first on Help Net Security.