On May 14th 2019 Microsoft released patches for several security vulnerabilities, this included CVE-2019-0708 with the below description:
“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.”
This is a critical vulnerability which is being referred to as ‘BlueKeep’ and affects Windows XP, 7, 2003 and 2008. Microsoft have released patches for all affected operating systems.
The use of RDP as an entry point into a network by attackers is unfortunately very common and is routinely used in a variety of different attacks, including ransomware: Ransomware-spreading hackers sneak in through RDP. This vulnerability will likely be exploited to make these type of attacks easier and even more common. Additionally this the vulnerability has also been described as ‘wormable’ which means that malware could be created to exploit this vulnerability in an automated method with no user interaction, enabling it to spread to a wide group of victims. Similar to what was seen in the WannaCry ransomware attacks where the ransomware spread via a ‘wormable’ exploit known as EternalBlue.
Sophos have released IPS signatures for the Sophos XG Firewall (SFOS) and the Cyberoam Appliances (CROS) on the 21st of May 2019 as part of SigPack version xx.15.91.
The following sections are covered:
Customers with the impacted versions of Windows should
Note: New IPS signatures for Sophos UTM products will be available shortly, and this article will be updated with the information when it becomes available.
Patching all affected computers against this vulnerability is the best method of protecting yourself from attack, Sophos strongly advise customers to patch their systems as soon as possible and ensure Sophos updates are automatically applied as we will be adding new protections to mitigate this threat over time.
Further protective steps to improve protection include:
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.