Full Report
BlueKeep (CVE-2019-0708) is a vulnerability revealed in May 2019, occurring during the Remote Desktop Protocol (RDP) connection process between a client and server. When a client sends a malicious packet through a specific channel (MS_T120), a Use-After-Free vulnerability occurs, allowing remote code execution.[1] This vulnerability has been discussed on the ASEC Blog until recently [2], […] 게시물 BlueKeep Attack Detected by AhnLab EDR이 ASEC에 처음 등장했습니다.
Analysis Summary
# Vulnerability: BlueKeep (Remote Code Execution in RDP)
## CVE Details
- CVE ID: CVE-2019-0708
- CVSS Score: 9.8 (Critical) - *Inferred severity based on RCE/Wormable pre-authentication nature, though not explicitly provided in the text.*
- CWE: Use-After-Free
## Affected Systems
- Products: Microsoft Windows operating systems utilizing the Remote Desktop Protocol (RDP).
- Versions: Specific vulnerable versions are not enumerated in the text but include Windows OS versions susceptible to BlueKeep during the RDP connection process.
- Configurations: Systems with RDP enabled.
## Vulnerability Description
BlueKeep is a Use-After-Free vulnerability occurring during the Remote Desktop Protocol (RDP) connection sequence. When a malicious packet is sent via the MS\_T120 channel, it leads to AV/RCE. Exploitation allows remote attackers to execute arbitrary code on the target system. The observed exploitation method executes malicious commands within the context of `spoolsv.exe`. Furthermore, the attacker renames `cmd.exe` to `Narrator.exe` and leverages Windows accessibility features to execute arbitrary system-privileged commands, suggesting privilege escalation as a potential objective.
## Exploitation
- Status: Exploited in the wild (APT groups are continuing to exploit it).
- Complexity: Low (Implied by widespread reporting and APT activity).
- Attack Vector: Network (Remote code execution via RDP).
## Impact
- Confidentiality: High (Implied by RCE, allowing access to sensitive data).
- Integrity: High (Implied by RCE and the ability to execute arbitrary commands).
- Availability: High (Implied by RCE, potentially leading to system compromise or denial of service).
## Remediation
### Patches
- Specific patch versions are not listed, but Microsoft released patches for this vulnerability in May 2019. Users must apply the relevant security updates for their specific Windows versions.
### Workarounds
- Blocking TCP port 3389 at the network/firewall layer (if RDP is not strictly necessary).
- Disabling RDP where it is not required.
## Detection
- Indicators of Compromise: Execution of `cmd.exe` or other processes launched from within `spoolsv.exe`. Renaming of system binaries like `cmd.exe` to accessibility feature names (e.g., `Narrator.exe`).
- Detection methods and tools: AhnLab EDR detected malicious commands resulting from the exploit, indicating behavior-based analysis solutions are effective at identifying post-exploitation activities.
## References
- Vendor advisories: Microsoft Security Bulletin May 2019 (CVE-2019-0708)
- Relevant links - defanged:
- hnlab com/en/16603/
- hnlab com/en/58654/