0patch, released a security patch to address the BlueKeep vulnerability, that can be deployed by administrators to protect always-on servers.

Microsoft Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including an RDS vulnerability dubbed BlueKeep that can be exploited to carry out WannaCry-like attack.

The issue is a remote code execution flaw in Remote Desktop Services (RDS) that it can be exploited by an unauthenticated attacker by connecting to the targeted system via the RDP and sending specially crafted requests.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The vulnerability doesn’t affect Windows 8 and Windows 10, anyway previous versions are exposed to the risk of cyber attacks.

Microsoft also advised Windows Server users to block TCP port 3389 and enable Network Level Authentication to prevent any unauthenticated attacker from exploiting this vulnerability.

Experts at 0patch, released a security patch to address the BlueKeep vulnerability, it is a tiny micro-patch composed of 22 instructions that can be deployed by administrators to protect always-on servers.

The main difference with the patch released by Microsoft is that the 0patch’s micropatch

However, unlike Microsoft’s security fix, 0patch’s micropatch does not require rebooting, the deployment of security updates on always-on servers sometimes is deployed because normally it is not possible to restart them without following specific procedures.

At the time the fix only works on systems running 32-bit Windows XP SP3, anyway, the expert plan to port it to Server 2003 and other versions.

0patch confirmed that the released code is a PRO-only micropatch, this means that only PRO users will automatically have it applied within 60 minutes or upon manual sync.

This is a PRO-only micropatch, and all PRO users will automatically have it applied within 60 minutes or upon manual sync. Others can create a 0patch account at https://t.co/a5420Kfwwb and purchase 0patch PRO license or request a trial at sales@0patch.com. — 0patch (@0patch) May 24, 2019

This is the source code for our BlueKeep micropatch for Windows XP. It intercepts the Initial PDU with GCC Conference Create Request and searches for "MS_T120" string in it. If found, connection is rejected. Legitimate RDP client connections don't specify that virtual channel. pic.twitter.com/r2Wz83vbj4 — 0patch (@0patch) May 24, 2019

Several security experts have developed PoC exploits for wormable BlueKeep Windows RDS , including McAfee Labs’ researchers that also provided extra mitigation measures. McAfee experts suggest:

Disable RDP is not needed, anyway, limit it only internally if necessary.

Client requests with “MS_T120” on any channel other than 31 during GCC Conference Initialization sequence of the RDP protocol should be blocked unless there is evidence for legitimate use case.

Don’t waste time, patch your system against the BlueKeep vulnerability asap, it is a matter of time that hacker will start to exploit the issue in attacks in the wild.



If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini