[Breaking News] SandBlast Agent Protects Against BlueKeep RDP Vulnerability (CVE-2019-0708)!

Yossi_Hasson — Tue, 28 May 2019 12:16:00 GMT

Critical Vulnerability in Windows OS - Code execution using Remote Desktop Protocol (CVE-2019-0708)

SandBlast Agent is the First Endpoint Security Solution to

Protect Against BlueKeep RDP Vulnerability!

Recently, a security advisory was released for a vulnerability in RDP (Remote Desktop Protocol) affecting multiple Windows Operating Systems prior to 8.1. According to Microsoft’s advisory https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708, this vulnerability can be exploited for both remote code execution and denial of service attacks. All this without needing the credentials of the target machine.

Check Point’s SandBlast Agent Anti-Exploit now monitors the RDP service for both Windows 7 and Windows 2008R2 and is able to prevent this attack from occurring. Not only ןד SandBlast Agent able to prevent the exploit from being delivered on unpatched systems, but it is also able to prevent the exploit from being delivered to the previously vulnerable driver in patched systems.

The protection is available in SandBlast Agent's E80.97 Client Version (Can be downloaded from sk154432).

To see Anti-Exploit’s protection in action please see the following video, where our Threat Research Group’s POC used for exploitation is blocked. In addition, you can also see how we are able to block the scan of the Metasploit module that was recently developed to identify vulnerable systems.

Video 1: SandBast Agent protects against Check Point's Threat Research group BlueKeep based exploit:

(view in My Videos)

Video 2: SandBast Agent protects against Metasploit module developed to identify vulnerable systems:

This video is currently being processed. Please try again in a few minutes.

(view in My Videos)

SandBlast Agent BlueKeep Event Forensics Report:

To learn more about SandBlast Agent's Anti-Exploit protection of BlueKeep, see: sk154232 - Anti-Exploit Protection for Remote Desktop Protocol Vulnerability (CVE-2019-0708)

Note: Users who run SandBlast Agent with a third party Anti-Virus (AV) should be aware that Anti-Exploit is turned off in the presence of third party AVs. For this protection to be enabled, you must allow Anti-Exploit to work with third party AVs as detailed in sk154454 - Enabling Anti-Exploit when deployed with a third party Anti-Virus.

Re: [Breaking News] SandBlast Agent Prevents BlueKeep RDP Vulnerability (CVE-2019-0708) Exploitation

Kim_Moberg — Tue, 28 May 2019 09:39:07 GMT

Hi Yossi
I see you release E81.00 before release E80.97. does the E81.00 include a protection against the BlueKeep RDP Vulnerability too?

Thanks
Kim

Re: [Breaking News] SandBlast Agent Prevents BlueKeep RDP Vulnerability (CVE-2019-0708) Exploitation

Yossi_Hasson — Tue, 28 May 2019 09:56:47 GMT

Hi Kim,

E81.00 still does not include the BlueKeep protection. We do have it as a CFG on top of E81.00 for interested customers. Please approach TAC if you need this CFG over E81.00.

We intend to have it as a part of E81.10 that is planned to be released in June.

Best Regards,

Yossi

topic Re: [Breaking News] SandBlast Agent Prevents BlueKeep RDP Vulnerability (CVE-2019-0708) Exploitation in Endpoint

[Breaking News] SandBlast Agent Protects Against BlueKeep RDP Vulnerability (CVE-2019-0708)!

To learn more about SandBlast Agent's Anti-Exploit protection of BlueKeep, see: sk154232 - Anti-Exploit Protection for Remote Desktop Protocol Vulnerability (CVE-2019-0708)

Re: [Breaking News] SandBlast Agent Prevents BlueKeep RDP Vulnerability (CVE-2019-0708) Exploitation

Re: [Breaking News] SandBlast Agent Prevents BlueKeep RDP Vulnerability (CVE-2019-0708) Exploitation