[Sophos Notification] CVE-2019-0708: Remote Desktop Services remote code execution vulnerability (known as BlueKeep)

Hi Community,

On May 14th, 2019 Microsoft released patches for several security vulnerabilities, this included CVE-2019-0708 with the below description:

“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.”

This is a critical vulnerability which is being referred to as ‘BlueKeep’ and affects Windows XP, 7, 2003 and 2008. Microsoft has released patches for all affected operating systems.

The use of RDP as an entry point into a network by attackers is unfortunately very common and is routinely used in a variety of different attacks, including ransomware: Ransomware-spreading hackers sneak in through RDP. This vulnerability will likely be exploited to make these type of attacks easier and even more common. Additionally this the vulnerability has also been described as ‘wormable’ which means that malware could be created to exploit this vulnerability in an automated method with no user interaction, enabling it to spread to a wide group of victims. Similar to what was seen in the WannaCry ransomware attacks where the ransomware spread via a ‘wormable’ exploit known as EternalBlue.

Patching all affected computers against this vulnerability is the best method of protecting yourself from attack, Sophos strongly advise customers to patch their systems as soon as possible and ensure Sophos updates are automatically applied as we will be adding new protections to mitigate this threat over time.

Sophos has released IPS signatures for the Sophos XG Firewall (SFOS) and the Cyberoam Appliances (CROS) on the 21st of May 2019 as part of SigPack version xx.15.91.

  • Note: New IPS signatures for Sophos UTM products will be available shortly, and this article will be updated with the information when it becomes available.

This notification article has been published and will be updated when more information becomes available.