The 0patch platform issued a fix for the Remote Desktop Services RCE vulnerability known as BlueKeep, in the form of a 22 instructions micropatch which can be used to protect always-on servers against exploitation attempts.
The critical software flaw tracked as CVE-2019-0708 and present in both in-support (Windows Server 2008 and Window 7) and out-of-support (Windows 2003 and Window XP) was already patched by Microsoft on May 14, after the vulnerability was disclosed.
However, unlike Microsoft's security fix, 0patch's micropatch does not require rebooting and it targets a very specific audience, allowing administrators to patch systems that either can't be restarted or do not allow for Microsoft security fixes to be installed for various other reasons.
"This is often due to always-on requirements, but another common reason is that restarting a fleet of remote machines (e.g., ATMs) brings a risk of having to physically visit all these machines in case something goes wrong (e.g., they don't wake up for some reason, or lose/corrupt in-memory data when they restart)," as co-founder of 0patch Mitja Kolsek told BleepingComputer.
We have just released a micropatch for CVE-2019-0708 a.k.a. "BlueKeep" - useful for computers that can't have Microsoft's update applied for whatever reason, or can't be restarted (0patch does not require a restart for installation or patching). pic.twitter.com/78ytVihhwh— 0patch (@0patch) May 24, 2019
The fix will patch the vulnerability affecting 32-bit Windows XP SP3 only, but the company will also port it to Server 2003 and other versions based on user requests to support legacy systems.
According to 0patch, "this is a PRO-only micropatch, and all PRO users will automatically have it applied within 60 minutes or upon manual sync."
While the 0patch fixes are usually designed to be a substitute solution until Microsoft issues its own official patches, in this case, they will most probably be a permanent solution for servers that cannot be restarted — unless their administrators find a way to bypass the issues preventing them from rebooting the machines.
This is the source code for our BlueKeep micropatch for Windows XP. It intercepts the Initial PDU with GCC Conference Create Request and searches for "MS_T120" string in it. If found, connection is rejected. Legitimate RDP client connections don't specify that virtual channel. pic.twitter.com/r2Wz83vbj4— 0patch (@0patch) May 24, 2019
BlueKeep mitigation measures
Another possible solution would be to follow Microsoft's advice and toggle on Network Level Authentication (NLA) for Remote Desktop Services Connections on systems impacted by the BlueKeep vulnerability.
McAfee Labs' research team also provided a couple of extra mitigation measures after demoing a RCE PoC for CVE-2019-0708 designed to block potential exploitation attempts of the flaw:
• Disable RDP from outside of your network and limit it internally; disable entirely if not needed. The exploit is not successful when RDP is disabled.
• Client requests with “MS_T120” on any channel other than 31 during GCC Conference Initialization sequence of the RDP protocol should be blocked unless there is evidence for legitimate use case.
Patching systems against the BlueKeep vulnerability should be at the top of the list of any admin seeing that multiple security researchers have already created PoC exploits.
Chaouki Bekrar, the founder of the zero-days acquisition platform Zerodium, also confirmed that the BlueKeep is remotely exploitable without the need of authentication the day after Microsoft issued their patch.
Three days later, security researcher Valthek also created his own PoC for the BlueKeep flaw, a PoC confirmed to be working by McAfee senior principal engineer Christiaan Beek.