Our security partner Dell Secureworks have advised of a publicly available proof of concept exploit ‘BlueKeep’ vulnerability (CVE-2019-0708), which affects the Microsoft Remote Desktop Protocol (RDP). The exploit causes a denial of service on affected systems.  It is expected that threat actors will adapt the PoC for remote code execution in the near future.

Recommended actions

Members are strongly advised to review firewall rules regularly and to be aware of what you are exposing to the Internet, https://www.empsn.org.uk/knowledge-base/reviewing-firewall-rules/ 

Members should apply the security update as soon as possible. This flaw was addressed in the May 2019 Microsoft Patch Tuesday security update. Other actions that may mitigate this issue include disabling Remote Desktop Services if not required: enabling Network Level Authentication on systems running supported installations of Windows 7, Windows Server 2008, and Windows Server 2008 R2: and blocking TCP port 3389 at the enterprise perimeter firewall.

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

https://www.malwaretech.com/2019/05/analysis-of-cve-2019-0708-bluekeep.html

https://github.com/n1xbyte/CVE-2019-0708/blob/master/crashpoc.py