From Wikipedia, the free encyclopedia
  (Redirected from BlueKeep (security vulnerability))
Jump to navigation Jump to search

A logo created for the vulnerability, featuring a keep, a fortified tower built within castles.
CVE identifier(s)CVE-2019-0708
Date patched14 May 2019; 37 days ago (2019-05-14)[1]
DiscovererUK National Cyber Security Centre[2]
Affected softwarepre-Windows 8 versions of Microsoft Windows

BlueKeep (CVE-2019-0708) is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol, which allows for the possibility of remote code execution.

First reported in May 2019, it is present in all Windows NT-based versions of Microsoft Windows from Windows 2000 through Windows Server 2008 R2 and Windows 7. Microsoft issued a security patch (including an out-of-band update for several end-of-life versions of Windows, such as Windows XP) on 14 May 2019.


The BlueKeep security vulnerability was first noted by the UK National Cyber Security Centre[2] and, on 14 May 2019, reported by Microsoft. The vulnerability is officially tracked as: CVE-2019-0708 and is a "wormable" remote code execution vulnerability.[3][4]

As of 1 June 2019, no active malware of the vulnerability seems to be publicly known; however, undisclosed proof of concept codes exploiting the vulnerability may be available.[5][6][7][8]

Both the U.S. National Security Agency (who issued its own advisory on the vulnerability on 4 June)[9] and Microsoft stated that this vulnerability could potentially be used by self-propagating worms, with Microsoft (based on a security researcher's estimation that nearly 1 million devices were vulnerable) saying that such a theoretical attack could be of a similar scale to EternalBlue-based attacks such as NotPetya.and WannaCry.[5][10][9]

On the same day as the NSA advisory, researchers of the CERT Coordination Center disclosed a separate RDP-related security issue in Windows 10 May 2019 Update and Windows Server 2019, citing a new behaviour where RDP Network Level Authentication (NLA) login credentials are cached on the client system, and the user can re-gain access to their RDP connection automatically if their network connection is interrupted. Microsoft dismissed this vulnerability as being intended behaviour, and it can be disabled via Group Policy.[11]


The RDP protocol uses "virtual channels", configured pre-authentication, as a data path between the client and server for providing extensions. RDP 5.1 defines 32 "static" virtual channels, and "dynamic" virtual channels are contained within one of these static channels. If a server binds the virtual channel "MS_T120" (a channel for which there is no legitimate reason for a client to connect to) with a static channel other than 31, heap corruption occurs that allows for arbitrary code execution at the system level.[12]

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 were named by Microsoft as being vulnerable to this attack. Versions newer than 7, such as Windows 8 and Windows 10, are not affected. The Cybersecurity and Infrastructure Security Agency stated that it had also successfully achieved code execution via the vulnerability on Windows 2000.[13]


Microsoft released patches for the vulnerability on 14 May 2019, for Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2. This included versions of Windows that are end-of-life (such as Vista, XP, and Server 2003) and no longer eligible for security updates.[5] The patch forces the aforementioned "MS_T120" channel to always be bound to 31 even if requested otherwise by an RDP server.[12]

The NSA recommended additional measures, such as disabling Remote Desktop Services and its associated port if it is not being used, and requiring Network Level Authentication (NLA) for RDP.[14]

See also[edit]


  1. ^ Foley, Mary Jo (14 May 2019). "Microsoft patches Windows XP, Server 2003 to try to head off 'wormable' flaw". ZDNet. Retrieved 7 June 2019.
  2. ^ a b Microsoft (May 2019). "Security Update Guide - Acknowledgements, May 2019". Microsoft. Retrieved 7 June 2019.
  3. ^ Staff (14 May 2019). "Customer guidance for CVE-2019-0708 - Remote Desktop Services Remote Code Execution Vulnerability: May 14, 2019". Microsoft. Retrieved 29 May 2019.
  4. ^ Staff (14 May 2019). "CVE-2019-0708 Remote Desktop Services Remote Code Execution Vulnerability - Security Vulnerability". Microsoft. Retrieved 28 May 2019.
  5. ^ a b c Goodin, Dan (31 May 2019). "Microsoft practically begs Windows users to fix wormable BlueKeep flaw". Ars Technica. Retrieved 31 May 2019.
  6. ^ Whittaker, Zack (31 May 2019). "Microsoft warns users to patch as exploits for 'wormable' BlueKeep bug appear". TechCrunch. Retrieved 31 May 2019.
  7. ^ O'Neill, Patrick Howell (31 May 2019). "You Need to Patch Your Older Windows PCs Right Now to Patch a Serious Flaw". Gizmodo. Retrieved 31 May 2019.
  8. ^ Winder, Davey (1 June 2019). "Microsoft Issues 'Update Now' Warning To Windows Users". Forbes. Retrieved 1 June 2019.
  9. ^ a b Cimpanu, Catalin. "Even the NSA is urging Windows users to patch BlueKeep (CVE-2019-0708)". ZDNet. Retrieved 20 June 2019.
  10. ^ Warren, Tom (14 May 2019). "Microsoft warns of major WannaCry-like Windows security exploit, releases XP patches". The Verge. Retrieved 20 June 2019.
  11. ^ "Microsoft dismisses new Windows RDP 'bug' as a feature". Naked Security. 6 June 2019. Retrieved 20 June 2019.
  12. ^ a b "RDP Stands for "Really DO Patch!" – Understanding the Wormable RDP Vulnerability CVE-2019-0708". McAfee Blogs. 21 May 2019. Retrieved 19 June 2019.
  13. ^ Tung, Liam. "Homeland Security: We've tested Windows BlueKeep attack and it works so patch now". ZDNet. Retrieved 20 June 2019.
  14. ^ Cimpanu, Catalin. "Even the NSA is urging Windows users to patch BlueKeep (CVE-2019-0708)". ZDNet. Retrieved 20 June 2019.

External links[edit]