Description Preview
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
Overview
CVE-2019-0708, commonly referred to as BlueKeep, is a critical remote code execution flaw in Microsoft Windows Remote Desktop Services that could be exploited over a network by unauthenticated attackers who send crafted RDP requests, potentially allowing full control of affected systems. The issue affects multiple Windows client and server editions listed as affected, including Windows 7 Service Pack 1 (32-bit and x64) and various Windows Server 2008/2008 R2 configurations.
Remediation
- Apply the Microsoft security updates that fix CVE-2019-0708 to all affected Windows editions (Windows 7 SP1, Windows Server 2008/2008 R2 SP1, including core installations where applicable) via Windows Update, WSUS, or enterprise software deployment tooling.
- Enable Network Level Authentication (NLA) for Remote Desktop and require authentication before establishing an RDP session.
- Restrict RDP exposure to trusted networks only: block RDP (port 3389) from the internet at the firewall, or place RDP behind a VPN or Remote Desktop Gateway.
- If RDP must be accessible, enforce strong authentication (prefer VPN + MFA) and consider enabling additional protections such as RD Gateway and IP allowlists.
- Disable RDP on systems that do not require it, or isolate unpatched/unsupported hosts from the network until patching is completed.
- Maintain an ongoing patch management process to ensure all affected systems remain up to date and regularly monitor for exploit attempts and related indicators of compromise.
- Validate patches in a testing environment before broad deployment and verify successful remediation across all affected endpoints.
References
- Microsoft Advisory CVE-2019-0708 (BlueKeep)
- Siemens ProductCERT SSA-932041 (PDF)
- Siemens ProductCERT SSA-616199 (PDF)
- Siemens ProductCERT SSA-433987 (PDF)
- Siemens ProductCERT SSA-832947 (PDF)
- Siemens ProductCERT SSA-166360 (PDF)
- Siemens ProductCERT SSA-406175 (PDF)
- Huawei PSIRT Advisory SA-20190529-01 Windows En
- Huawei PSIRT Security Notices SN-20190515-01 Windows En
- Microsoft Windows Remote Desktop BlueKeep DoS (PacketStorm)
- Microsoft Windows RDP BlueKeep DoS (PacketStorm)
- BlueKeep RDP - Kernel Use-After-Free (PacketStorm)
- Microsoft Windows 7 x86 BlueKeep Use-After-Free (PacketStorm)
- Microsoft RDP Remote Code Execution (PacketStorm)
Early Warning
Customers using Armis Early Warning were notified about this vulnerability before it appeared in CISA's Known Exploited Vulnerabilities Catalog, enabling them to assess their exposure and act proactively. Armis offers these examples of CVEs already included in CISA KEV for potential customers. Click here to learn how to receive alerts earlier.
- Armis Alert Date
- May 16, 2019
- CISA KEV Date
- Nov 3, 2021
902days early
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- ManufacturingManufacturing: Medium
- Health Care & Social AssistanceHealth Care & Social Assistance: Medium
- Public AdministrationPublic Administration: Low
- Transportation & WarehousingTransportation & Warehousing: Low
- Retail TradeRetail Trade: Low
- Arts, Entertainment & RecreationArts, Entertainment & Recreation: Low
- Educational ServicesEducational Services: Low
- Finance and InsuranceFinance and Insurance: Low
- Other Services (except Public Administration)Other Services (except Public Administration): Low
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services: Low
- Management of Companies & EnterprisesManagement of Companies & Enterprises: Low
- UtilitiesUtilities: Low
- Accommodation & Food ServicesAccommodation & Food Services: Low
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services: Low
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting: Low
- ConstructionConstruction: Low
- InformationInformation: Low
- MiningMining: Low
- Real Estate Rental & LeasingReal Estate Rental & Leasing: Low
- Wholesale TradeWholesale Trade: Low
