BlueKeep: Severe Vulnerability in Windows RDP BlueKeep: Severe Vulnerability in Windows RDP

BlueKeep: Severe Vulnerability in Windows RDP

by Calyptix, June 19, 2019

bluekeep-vulnerability-crack-wallThe Cybersecurity and Infrastructure Agency (CISA) issued a security alert yesterday about a nasty Windows vulnerability called BlueKeep.

This follows an alert earlier this month from the National Security Administration (NSA).

What exactly is BlueKeep?

BlueKeep is a security vulnerability (CVE-2019-0708) found in the Remote Desktop Protocol (RDP) in certain versions of Microsoft Windows.

The following versions are affected:

  • Windows 2000
  • Windows Vista
  • Windows XP
  • Windows 7
  • Windows Server 2003
  • Windows Server 2003 R2
  • Windows Server 2008
  • Windows Server 2008 R2

Attackers can exploit the flaw by sending specially crafted packets to a vulnerable, RDP-enabled system. This enables attackers to remotely execute commands with elevated privileges.

Attackers can then create administrator accounts, delete or manipulate data, install malware – you name it.

Versions of windows that are not affected:

  • Windows 10
  • Windows 8
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

How bad is BlueKeep?

An attacker can use BlueKeep to remotely execute arbitrary commands.

The flaw can be exploited during pre-authorization and without user interaction.

The Common Vulnerability Scoring System (CVSS) gives it a base score of 9.8 CRITICAL or the maximum of 10.0 HIGH, depending on which version of the scoring system is used.

Security researchers say that attacks that leverage BlueKeep are “wormable” – as in they can spread across systems and networks automatically.

So it’s pretty bad.

bluekeep-spreadAre attackers using BlueKeep?

No – but exploitation is inevitable.

For example, another security vulnerability (with an annoyingly similar name), EternalBlue, was leaked to the public on April 14, 2017.

The WannaCry ransomware attack struck four weeks later, infecting an estimated 200,000 thousand systems in a few days.

WannaCry used EternalBlue to spread automatically within and across networks. It caused millions of dollars in damages and knocked out healthcare services across the U.K.

Microsoft first disclosed the new flaw, BlueKeep, on May 14th – so the clock is ticking.

How widespread is the BlueKeep vulnerability?

The problem is very widespread.

Windows is the dominant desktop platform and the flaw affects every version released before Windows 8 (2012).

More than 40% of Windows installations are running version Windows 7 or Windows XP – which have the BlueKeep flaw (data via NetApplications.com).

microsoft-windows-version-market-share-may-2019

The good news: more than half of all Windows installations are running Windows 10, which is not affected.

Even if you’re stuck with a vulnerable, outdated version of Windows, you have some options. Microsoft released patches for some end-of-life versions, as we discuss below.

tools blue backgroundCan I fix BlueKeep?

Yes.

Upgrade to a new version of Windows, if you’re on an old, outdated version.

Always patch your system with Windows updates and configure them to apply automatically.

Here is a list of BlueKeep-related updates for current versions of Windows.

Microsoft even released patches for old versions of Windows. Some versions – such as Windows XP, Windows Vista, and Windows Server 2003 –  reached end-of-life years ago.

On that last point: Microsoft has invested thousands of dollars to patch versions of Windows that is stopped supporting years ago. This should give you a sense of the severity of this threat.

Disable RDP and/or block TCP port 3389 if it’s not needed. Since RDP is one of the most targeted protocols for cyber attacks, you should do this even on systems unaffected by BlueKeep.

Configure RDP Properly if you are required to have it enabled. Avoid exposing it to the public internet. Limit remote sessions to devices connecting via the LAN or VPN. Filter access to a whitelist of IPs.

Network Level Authentication can partially mitigate this flaw. NLA requires users to authenticate before a remote session can be established (and before the flaw can be exploited).

Internet of Dangerous Things - CTA

Related Resources

WannaCry Ransomware? The Answer is “Yes”

MSPs Targeted in Advanced Cyber Attacks

U.S. Navy Lags in Cyber – Is Your Security Better?

 

No Comments


    Leave a Reply

    Your email address will not be published Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

    *