Jump to content
Wikipedia The Free Encyclopedia

BlueKeep

From Wikipedia, the free encyclopedia
Windows security hole
"DejaBlue" redirects here. For bottled water brand, see Dejà Blue.
Not to be confused with BlueBEEP.
BlueKeep
A logo created for the vulnerability, featuring a keep, a fortified tower built within castles
CVE identifier(s) CVE-2019-0708
Date patched14 May 2019; 5 years ago (2019年05月14日)[1]
DiscovererUK National Cyber Security Centre [2]
Affected softwarepre-Windows 8 versions of Microsoft Windows

BlueKeep (CVE-2019-0708) is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

First reported in May 2019, it is present in all unpatched Windows NT-based versions of Microsoft Windows from Windows 2000 through Windows Server 2008 R2 and Windows 7. Microsoft issued a security patch (including an out-of-band update for several versions of Windows that have reached their end-of-life, such as Windows XP) on 14 May 2019. On 13 August 2019, related BlueKeep security vulnerabilities, collectively named DejaBlue, were reported to affect newer Windows versions, including Windows 7 and all recent versions up to Windows 10 of the operating system, as well as the older Windows versions.[3] On 6 September 2019, a Metasploit exploit of the wormable BlueKeep security vulnerability was announced to have been released into the public realm.[4]

History

[edit ]

The BlueKeep security vulnerability was first noted by the UK National Cyber Security Centre [2] and, on 14 May 2019, reported by Microsoft. The vulnerability was named BlueKeep by computer security expert Kevin Beaumont on Twitter. BlueKeep is officially tracked as: CVE-2019-0708 and is a "wormable" remote code execution vulnerability.[5] [6]

Both the U.S. National Security Agency (which issued its own advisory on the vulnerability on 4 June 2019)[7] and Microsoft stated that this vulnerability could potentially be used by self-propagating worms, with Microsoft (based on a security researcher's estimation that nearly 1 million devices were vulnerable) saying that such a theoretical attack could be of a similar scale to EternalBlue-based attacks such as NotPetya and WannaCry.[8] [9] [7]

On the same day as the NSA advisory, researchers of the CERT Coordination Center disclosed a separate RDP-related security issue in the Windows 10 May 2019 Update and Windows Server 2019, citing a new behaviour where RDP Network Level Authentication (NLA) login credentials are cached on the client system, and the user can re-gain access to their RDP connection automatically if their network connection is interrupted. Microsoft dismissed this vulnerability as being intended behaviour, and it can be disabled via Group Policy.[10]

As of 1 June 2019, no active malware of the vulnerability seemed to be publicly known; however, undisclosed proof of concept (PoC) codes exploiting the vulnerability may have been available.[8] [11] [12] [13] On 1 July 2019, Sophos, a British security company, reported on a working example of such a PoC, in order to emphasize the urgent need to patch the vulnerability.[14] [15] [16] On 22 July 2019, more details of an exploit were purportedly revealed by a conference speaker from a Chinese security firm.[17] On 25 July 2019, computer experts reported that a commercial version of the exploit may have been available.[18] [19] On 31 July 2019, computer experts reported a significant increase in malicious RDP activity and warned, based on histories of exploits from similar vulnerabilities, that an active exploit of the BlueKeep vulnerability in the wild might be imminent.[20]

On 13 August 2019, related BlueKeep security vulnerabilities, collectively named DejaBlue, were reported to affect newer Windows versions, including Windows 7 and all recent versions of the operating system up to Windows 10, as well as the older Windows versions.[3]

On 6 September 2019, an exploit of the wormable BlueKeep security vulnerability was announced to have been released into the public realm.[4] The initial version of this exploit was, however, unreliable, being known to cause "blue screen of death" (BSOD) errors. A fix was later announced, removing the cause of the BSOD error.[21]

On 2 November 2019, the first BlueKeep hacking campaign on a mass scale was reported, and included an unsuccessful cryptojacking mission.[22]

On 8 November 2019, Microsoft confirmed a BlueKeep attack, and urged users to immediately patch their Windows systems.[23]

Mechanism

[edit ]

The RDP protocol uses "virtual channels", configured before authentication, as a data path between the client and server for providing extensions. RDP 5.1 defines 32 "static" virtual channels, and "dynamic" virtual channels are contained within one of these static channels. If a server binds the virtual channel "MS_T120" (a channel for which there is no legitimate reason for a client to connect to) with a static channel other than 31, heap corruption occurs that allows for arbitrary code execution at the system level.[24]

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 were named by Microsoft as being vulnerable to this attack. Versions newer than 7, such as Windows 8, Windows 10 and Windows 11, were not affected. The Cybersecurity and Infrastructure Security Agency stated that it had also successfully achieved code execution via the vulnerability on Windows 2000.[25]

Mitigation

[edit ]

Microsoft released patches for the vulnerability on 14 May 2019, for Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2. This included versions of Windows that have reached their end-of-life (such as Vista, XP, and Server 2003) and thus are no longer eligible for security updates.[8] The patch forces the aforementioned "MS_T120" channel to always be bound to 31 even if requested otherwise by an RDP server.[24]

The NSA recommended additional measures, such as disabling Remote Desktop Services and its associated port (TCP 3389) if it is not being used, and requiring Network Level Authentication (NLA) for RDP.[26] According to computer security company Sophos, two-factor authentication may make the RDP issue less of a vulnerability. However, the best protection is to take RDP off the Internet: switch RDP off if not needed and, if needed, make RDP accessible only via a VPN.[27]

See also

[edit ]

References

[edit ]
  1. ^ Foley, Mary Jo (2019年05月14日). "Microsoft patches Windows XP, Server 2003 to try to head off 'wormable' flaw". ZDNet . Archived from the original on 2019年06月04日. Retrieved 2019年06月07日.
  2. ^ a b Microsoft (May 2019). "Security Update Guide - Acknowledgements, May 2019". Microsoft . Archived from the original on 2019年11月23日. Retrieved 2019年06月07日.
  3. ^ a b Greenberg, Andy (2019年08月13日). "DejaBlue: New BlueKeep-Style Bugs Renew The Risk Of A Windows worm". Wired . Archived from the original on 2021年04月13日. Retrieved 2019年08月13日.
  4. ^ a b Goodin, Dan (2019年09月06日). "Exploit for wormable BlueKeep Windows bug released into the wild - The Metasploit module isn't as polished as the EternalBlue exploit. Still, it's powerful". Ars Technica . Archived from the original on 2019年11月27日. Retrieved 2019年09月06日.
  5. ^ "Customer guidance for CVE-2019-0708 - Remote Desktop Services Remote Code Execution Vulnerability". Microsoft . 2019年05月14日. Archived from the original on 2019年09月13日. Retrieved 2019年05月29日.
  6. ^ "CVE-2019-0708 Remote Desktop Services Remote Code Execution Vulnerability - Security Vulnerability". Microsoft . 2019年05月14日. Archived from the original on 2019年05月29日. Retrieved 2019年05月28日.
  7. ^ a b Cimpanu, Catalin. "Even the NSA is urging Windows users to patch BlueKeep (CVE-2019-0708)". ZDNet. Archived from the original on 2019年09月06日. Retrieved 2019年06月20日.
  8. ^ a b c Goodin, Dan (2019年05月31日). "Microsoft practically begs Windows users to fix wormable BlueKeep flaw". Ars Technica . Archived from the original on 2019年07月22日. Retrieved 2019年05月31日.
  9. ^ Warren, Tom (2019年05月14日). "Microsoft warns of major WannaCry-like Windows security exploit, releases XP patches". The Verge. Archived from the original on 2019年09月02日. Retrieved 2019年06月20日.
  10. ^ "Microsoft dismisses new Windows RDP 'bug' as a feature". Naked Security. 2019年06月06日. Archived from the original on 2019年12月17日. Retrieved 2019年06月20日.
  11. ^ Whittaker, Zack (2019年05月31日). "Microsoft warns users to patch as exploits for 'wormable' BlueKeep bug appear". TechCrunch . Archived from the original on 2019年05月31日. Retrieved 2019年05月31日.
  12. ^ O'Neill, Patrick Howell (2019年05月31日). "You Need to Patch Your Older Windows PCs Right Now to Patch a Serious Flaw". Gizmodo . Archived from the original on 2019年06月01日. Retrieved 2019年05月31日.
  13. ^ Winder, Davey (2019年06月01日). "Microsoft Issues 'Update Now' Warning To Windows Users". Forbes . Archived from the original on 2019年06月01日. Retrieved 2019年06月01日.
  14. ^ Palmer, Danny (2019年07月02日). "BlueKeep: Researchers show how dangerous this Windows exploit could really be - Researchers develop a proof-of-concept attack after reverse engineering the Microsoft BlueKeep patch". ZDNet . Archived from the original on 2019年07月02日. Retrieved 2019年07月02日.
  15. ^ Stockley, Mark (2019年07月01日). "RDP BlueKeep exploit shows why you really, really need to patch". NakedSecurity.com. Archived from the original on 2019年12月07日. Retrieved 2019年07月01日.
  16. ^ Staff (2019年05月29日). "CVE-2019-0708: Remote Desktop Services remote code execution vulnerability (known as BlueKeep) - Technical Support Bulletin". Sophos . Archived from the original on 2019年07月03日. Retrieved 2019年07月02日.
  17. ^ Goodin, Dan (2019年07月22日). "Chances of destructive BlueKeep exploit rise with new explainer posted online - Slides give the most detailed publicly available technical documentation seen so far". Ars Technica . Archived from the original on 2019年11月08日. Retrieved 2019年07月23日.
  18. ^ Cimpanu, Catalin (2019年07月25日). "US company selling weaponized BlueKeep exploit - An exploit for a vulnerability that Microsoft feared it may trigger the next WannaCry is now being sold commercially". ZDNet . Archived from the original on 2019年11月08日. Retrieved 2019年07月25日.
  19. ^ Franceschi-Bicchieral, Lorenzo (2019年07月26日). "Cybersecurity Firm Drops Code for the Incredibly Dangerous Windows 'BlueKeep' Vulnerability - Researchers from U.S. government contractor Immunity have developed a working exploit for the feared Windows bug known as BlueKeep". Vice . Archived from the original on 2019年07月26日. Retrieved 2019年07月26日.
  20. ^ Rudis, Bob (2019年07月31日). "BlueKeep Exploits May Be Coming: Our Observations and Recommendations". Rapid7.com. Archived from the original on 2019年08月01日. Retrieved 2019年08月01日.
  21. ^ Cimpanu, Catalin (2019年11月11日). "BlueKeep exploit to get a fix for its BSOD problem". ZDNet. Archived from the original on 2019年11月18日. Retrieved 2019年11月13日.
  22. ^ Greenberg, Andy (2019年11月02日). "The First BlueKeep Mass Hacking Is Finally Here—but Don't Panic - After months of warnings, the first successful attack using Microsoft's BlueKeep vulnerability has arrived—but isn't nearly as bad as it could have been". Wired . Archived from the original on 2019年12月02日. Retrieved 2019年11月03日.
  23. ^ "Microsoft works with researchers to detect and protect against new RDP exploits". Microsoft. 2019年11月07日. Archived from the original on 2019年11月23日. Retrieved 2019年11月09日.
  24. ^ a b "RDP Stands for "Really DO Patch!" – Understanding the Wormable RDP Vulnerability CVE-2019-0708". McAfee Blogs. 2019年05月21日. Archived from the original on 2020年03月07日. Retrieved 2019年06月19日.
  25. ^ Tung, Liam. "Homeland Security: We've tested Windows BlueKeep attack and it works so patch now". ZDNet. Archived from the original on 2019年06月19日. Retrieved 2019年06月20日.
  26. ^ Cimpanu, Catalin. "Even the NSA is urging Windows users to patch BlueKeep (CVE-2019-0708)". ZDNet. Archived from the original on 2019年09月06日. Retrieved 2019年06月20日.
  27. ^ Stockley, Mark (2019年07月17日). "RDP exposed: the wolves already at your door". Sophos . Archived from the original on 2019年10月18日. Retrieved 2019年07月17日.
[edit ]
Hacking in the 2010s
← 2000s Timeline 2020s →
Major incidents
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
Hacktivism
Advanced
persistent threats
Individuals
Major vulnerabilities
publicly disclosed
Malware
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019

AltStyle によって変換されたページ (->オリジナル) /