0patch issued a micropatch to address the BlueKeep flaw in always-on servers

Play ransomware Microsoft Windows DOS-to-NT path conversion process to achieve rootkit-like capabilities

0patch, released a security patch to address the BlueKeep vulnerability, that can be deployed by administrators to protect always-on servers.

Microsoft Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including an RDS vulnerability dubbed BlueKeep that can be exploited to carry out WannaCry-like attack.

The issue is a remote code execution flaw in Remote Desktop Services (RDS) that it can be exploited by an unauthenticated attacker by connecting to the targeted system via the RDP and sending specially crafted requests.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The vulnerability doesn’t affect Windows 8 and Windows 10, anyway previous versions are exposed to the risk of cyber attacks.

Microsoft also advised Windows Server users to block TCP port 3389 and enable Network Level Authentication to prevent any unauthenticated attacker from exploiting this vulnerability.

Experts at 0patch, released a security patch to address the BlueKeep vulnerability, it is a tiny micro-patch composed of 22 instructions that can be deployed by administrators to protect always-on servers.

The main difference with the patch released by Microsoft is that the 0patch’s micropatch

However, unlike Microsoft’s security fix, 0patch’s micropatch does not require rebooting, the deployment of security updates on always-on servers sometimes is deployed because normally it is not possible to restart them without following specific procedures.

At the time the fix only works on systems running 32-bit Windows XP SP3, anyway, the expert plan to port it to Server 2003 and other versions.

0patch confirmed that the released code is a PRO-only micropatch, this means that only PRO users will automatically have it applied within 60 minutes or upon manual sync.

Several security experts have developed PoC exploits for wormable BlueKeep Windows RDS, including McAfee Labs’ researchers that also provided extra mitigation measures. McAfee experts suggest:

Disable RDP is not needed, anyway, limit it only internally if necessary.
Client requests with “MS_T120” on any channel other than 31 during GCC Conference Initialization sequence of the RDP protocol should be blocked unless there is evidence for legitimate use case.

Don’t waste time, patch your system against the BlueKeep vulnerability asap, it is a matter of time that hacker will start to exploit the issue in attacks in the wild.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – BlueKeep, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.