Blue's Clues: Four New BlueKeep-Like Wormable RDP Exploits Target Microsoft Windows

Windows Worm
Microsoft is warning Windows users of several new "wormable" exploits similar in style to BlueKeep, two of which are tagged as critical Remote Code Execution (RCE) vulnerabilities. As with BlueKeep, which Microsoft patched a few months ago, the exploits exist within the Remote Desktop Services protocol (formerly known as Terminal Services).

These types of exploits are especially worrisome because of their ability to spread through a computer network, once a single machine is infected.

"It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these, and downloads for these can be found in the Microsoft Security Update Guide. Customers who have automatic updates enabled are automatically protected by these fixes," Microsoft states.

Whereas BlueKeep affected Windows 7 and earlier versions of Windows, these newly discovered ones—half-jokingly referred to as DejaBlue by some researchers, according to Wired—affect Windows 7 and later builds, including Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions.

There are four DejaBlue vulnerabilities in total, listed as CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226. An attacker can leverage these exploits without having to go through authentication. It entails sending a specially crafted request to a target system where Network Level Authentication (NLA) is disabled, a common practice among large businesses.

Enabling NLA adds a layer of protection against these kinds of attacks, but even then, an attacker could still exploit the vulnerabilities—it would just be more difficult because they would need authentication credentials.

Microsoft's own engineers discovered these new exploits, which was not the case with BlueKeep. The company says it has "no evidence that these vulnerabilities were known to any third party" at this time.