Microsoft Operating Systems BlueKeep Vulnerability


Systems Affected

  ✦  Windows 2000
  ✦  Windows Vista
  ✦  Windows XP
  ✦  Windows 7
  ✦  Windows Server 2003
  ✦  Windows Server 2003 R2
  ✦  Windows Server 2008
  ✦  Windows Server 2008 R2

Threat Level



An Attacker can use this vulnerability to exploit and take control of the system.(CVE-2019-0708)


'BlueKeep' vulnerability exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows operating systems. An Attacker can exploit this vulnerability to perform remote code execution on an unprotected system.
An advisory from Microsoft confirmed that an attacker can send modified and specifically crafted packets to one of above operating systems that has RDP enabled. 'BlueKeep' is considered as a worm since exploiting this vulnerability on a system could propagate to other vulnerable systems and this use same pattern as WannaCry malware.


  ✦  Adding accounts with full user rights
  ✦  Data modifications
  ✦  Install unwanted programs and applications

Solution/ Workarounds

  ✦  Install available patches.

Microsoft has released security updates to patch this vulnerability. Microsoft has also released patches for a number of OSs that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003. As always, CISA encourages users and administrators to test patches before installation.

  ✦  Upgrade end-of-life (EOL) OSs.
Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10.

  ✦  Disable unnecessary services.
Disable services not being used by the OS. This best practice limits exposure to vulnerabilities.

  ✦  Enable Network Level Authentication.
Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. Doing so forces a session request to be authenticated and effectively mitigates against BlueKeep, as exploit of the vulnerability requires an unauthenticated session.

  ✦  Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall.
Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user's network. However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.


  ✦  Microsoft Security Advisory for CVE-2019-0708
  ✦  White House Press Briefing on the Attribution of the WannaCry Malware Attack to North Korea
  ✦  Microsoft Security Advisory for CVE-2019-0708
  ✦  Microsoft Customer Guidance for CVE-2019-0708


The information provided herein is on "as is" basis, without warranty of any kind.


© Copyright Sri Lanka CERT|CC. All Rights Reserved.