On 14 May 2019, Microsoft released fixes for a critical Remote Code Execution vulnerability called CVE-2019-0708 (nicknamed”BlueKeep”). The vulnerability concerns Remote Desktop Services (before that called Terminal Services) that affects certain older versions of Windows.
CVE-2019-0708 could allow an attacker to execute remote code on a vulnerable machine that’s running Remote Desktop Protocol (RDP). As the vulnerability is wormable, it could spread extremely rapidly and compromise millions of systems around the world in a very short span of time. In other words: it could result in a global incident similar to 2017’s WannaCry.
Luckily, it seems that developing a reliable exploit to leverage BlueKeep is not a simple endeavor and requires a high degree of expertise. Many security researchers have been able to create working proof-of-concept exploits, however, as will attackers with suitable skills and motivation. Although a global worm hasn’t appeared yet, it is possible that stealthier attackers are using the vulnerability in targeted attacks against high-value targets.
In addition, a security expert known in Twitter as @zerosum0x0 has recently disclosed his RDP exploit for the BlueKeep vulnerability to Metasploit. Once it becomes public, it will most likely increase the amount of RDP scanning, as a wider group of attackers seek to exploit systems that are still unpatched.
We urge administrators to fix the flaw on a company-wide scale as soon as possible. It’s estimated that at least over 700,000 machines are still unpatched across the globe.
How does BlueKeep differ from other vulnerabilities?
BlueKeep should be taken more seriously than your average security hole. Microsoft’s actions indicate this perfectly: instead of issuing fixes only for the supported versions of their operating system (Windows 7, Windows Server 2008 R2, Windows Server), they also extended coverage to Windows XP, Windows Vista and Windows Server 2003.
Systems that run Windows 8 and 10 are not affected by BlueKeep. UPDATE: Microsoft has just revealed seven new RDP-related vulnerabilities that affect newer versions of Windows, all the way up to the latest versions of Windows 10. These have been dubbed “DejaBlue” by the wider security community. Two of the vulnerabilities under this moniker are rated extremely serious (9.7 and 9.8 out of 10), with Microsoft stating they present a similar threat of a global worm like the original BlueKeep. Here’s Microsoft statement regarding DejaBlue, along with security updates for all affected systems.
In their original statement about BlueKeep, Microsoft directly references the infamous WannaCry and NotPetya attacks that occured in 2017. Both exploited a similar wormable vulnerability in a widely-used protocol (SMB), which ended up affecting an estimated 200,000 systems in roughly 150 countries, with financial damages totaling hundreds of millions.
Here’s a run-down of the situation for BlueKeep, organized by infosec expert Kevin Beaumont who originally coined the term “BlueKeep”:
- Multiple security firms have created partially working exploits, but haven’t released any technical details (UPDATE: a working exploit has now been disclosed to Metasploit)
- The code and information needed to reach the trigger of the flaw (but not the exploitation) is available online
- Some scammers are selling fake exploits
- IDS/IPS vendors have released rules that can detect the exploitation
What should you do about BlueKeep?
1. KEEP CALM AND START PATCHING – BUT DO IT FAST
First, focus on patching externally facing RDP servers, then move on to critical servers such as domain controllers and management servers. Finally patch non-critical servers that have RDP enabled, along with the rest of the desktop estate. You can find more information on applying the patch from Microsoft’s support pages.
F-Secure Radar users can identify vulnerable hosts using active check featured in System Scan. For faster scan resolution:
- Limit the number of ports scanned to only those where your RDP service is exposed, typically TCP 3389
- Select only BlueKeep-related plugin 1051043
2. MITIGATE IN ORDER TO BUY MORE TIME FOR PATCHING
- Enable Network Level Authentication
Network Level Authentication (NLA) can be used to partially mitigate this vulnerability. Enabling NLA will force attackers to have valid credentials in order to perform RCE. F-Secure Radar users can scan hosts with plugin 100612 (“Network Level Authentication for RDP is not Enforced”) to detect hosts without NLA enabled. For faster scan resolution, use only this plugin to pinpoint the affected hosts.
- Block TCP port 3389 at the enterprise perimeter firewall
TCP port 3389 is used to initiate a connection with the affected system. Blocking this port with a firewall, preferably at the network perimeter level, will help to protect systems that are within the secured network. F-Secure Radar users can scan for affected hosts with open TCP port 3389 using a network scan. For faster scan resolution, scan only for this port in order to pinpoint the affected hosts.
- Disable Remote Desktop Services if they are not required.
In case you do not need these services in your environment, consider disabling them. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities, and is a security best practice.
Read more about the importance of patch management in dealing with vulnerabilities like BlueKeep and DejaBlue:BlueKeep and Patch Management