RDP BlueKeep exploit shows why you really, really need to patch


About six weeks ago Microsoft took the highly unusual step of including a patch for operating systems it no longer supports in its May Patch Tuesday output.

It’s something the software juggernaut has only ever felt the need to do on a handful of occasions, so when it does happen it can be taken as a sign that something very serious indeed is going on. In this case, the something serious was CVE-2019-0708, a very serious RDP vulnerability, that would soon become better known as BlueKeep.

RDP (the Remote Desktop Protocol) is what allows people to control Windows machines via a full graphical user interface, over the internet. The millions of internet-connected machines running RDP includes everything from cloud-hosted servers to Windows desktops used by remote workers, and each one is a potential gateway into an organisation’s internal network.

The ‘wormable’ BlueKeep vulnerability, announced by Microsoft with the release of patches to protect against it, could theoretically be used to run attackers’ code on every one of those machines, without a username and password.

The only sliver of hope that came with May’s patches was that CVE-2019-0708 was difficult to exploit. That difficulty created a window of time for organisations to patch against BlueKeep before crooks figured out how to abuse it. There was even the outside chance that it would prove too difficult to reverse engineer.

It was a hope that didn’t last long.

Since CVE-2019-0708 became public, a small number of organisations and security researchers have credibly claimed the ability to successfully exploit it.

Among their number is Sophos, who today revealed the existence of its own CVE-2019-0708 exploit PoC (Proof-of-Concept).

The PoC, described by BlueKeep namer and ‘megathread’ keeper Kevin Beaumont as ‘incredible‘, was created by the SophosLabs Offensive Security team.

The code is obviously too dangerous to be released publicly, so SophosLabs has recorded a video showing the fileless exploit being used to gain full control of a remote system without authentication.

The PoC will help Sophos learn about how CVE-2019-0708 might be exploited by criminals.

So, why release proof of the proof-of-concept?

We hope this video convinces individuals and organizations who still haven’t patched that the BlueKeep vulnerability is a serious threat.

You can read more about the SophosLabs BlueKeep exploit on our sister site Sophos News. Do it after you’ve patched.