A zero-day vulnerability has been identified in Microsoft Remote Desktop Services which could allow an attacker to hijack an existing session that has been locked. By exploiting the vulnerability, the lock screen can be bypassed, even if two-factor authentication has been implemented.
The zero-day vulnerability was discovered by Carnegie Mellon University Software Engineering Institute’s Joe Tammariello and concerns Microsoft’s Network Level Authentication (NLA) on Windows Remote Desktop sessions.
If a user locks a Windows machine in an RDP session, should that session be temporarily disconnected, when the session is automatically reconnected, the session is restored in an unlocked state. The vulnerability is present in Windows 10 version 1083 and later and Server 2019 and later.
If an attacker disrupted the session, they could gain access to the computer at the end of the Remote Desktop session, even if the remote system is locked. The flaw could only be exploited by a local user, so the potential for the flaw to be used in an attack would be limited. The flaw is being tracked as CVE-2019-9510 and has been assigned a CVSS v3 base score of 4.6.
The flaw has been reported to Microsoft which has responded saying it does not meet Microsoft Security Servicing Criteria for Windows. Since a patch is unlikely to be issued, the vulnerability can be addressed by locking the local system rather than the remote system and disconnecting from remote desktop sessions instead of attempting to lock them.
Microsoft has suggested using NLA as a mitigation against the BlueKeep vulnerability if the patch cannot be applied. While this flaw could certainly allow a local, unauthorized individual to gain access to a device, the flaw affects Windows 10 which is not vulnerable to BlueKeep.
NLA still offers protection against the BlueKeep vulnerability and should be implemented. TCP port 3389 should be blocked at the perimeter firewall and, if not required, RDP services should be disabled. However, the best way to prevent exploitation of BlueKeep is to apply the patch that Microsoft Released on May 14, 2019.
Microsoft has now issued a fresh warning about BlueKeep following reports that almost 1 million devices have still not had the patch applied. Microsoft is now confident that an exploit exists for the vulnerability and could be used in the wild to attack vulnerable systems.
Several security firms now claim to have developed exploits for the vulnerability and at least one exploit is now publicly available. Scans for vulnerable devices have also increased in recent days suggesting threat actors are getting ready to conduct attacks.