What is BlueKeep?
Microsoft announced in early May on Patch Tuesday that a critical flaw was identified and required immediate patching. This flaw quickly became known as BlueKeep, a critical remote code execution (RCE) vulnerability in Windows operating systems, referenced in CVE-2019-0708, as a "wormable" security flaw in the Remote Desktop Protocol (RDP) service that affects older versions of Windows OS (XP, 7, Server 2003 and Server 2008).
How Does BlueKeep Work?
The BlueKeep flaw allows an unauthenticated attacker to connect to the target Windows system using RDP (formerly known as Terminal Services) and send specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. If successfully exploited, the attacker could then access the system with a backdoor without the need for credentials and install malicious programs; view, change, or delete data; or create new accounts with full user permissions. To add insult to injury, this flaw is "wormable" which means that future exploits might be able to spread malware from an already compromised computer to vulnerable computer in a similar fashion to what was seen in 2017 with WannaCry.
Who Is Affected?
Technically speaking this vulnerability affects the following in-support and out-of-support Microsoft operating systems:
- Windows XP (out-of-support)
- Windows Server 2003 (out-of-support)
- Windows Server 2003 R2 (out-of-support)
- Windows Vista (out-of-support)
- Windows 7
- Windows Server 2008
- Windows Server 2008 R2
*Windows 8 and Windows 10 are not affected by this vulnerability.
You are potentially susceptible to this vulnerability if you have the Remote Desktop Protocol (RDP) exposed to the internet. Research has shown that nearly one million Windows systems are vulnerable to BlueKeep.
Due to the potential impact to customers and their businesses, Microsoft has made security updates available for all of the affected operating systems, even those no longer supported. While this flaw hasn't successfully been exploited in the wild, sources have said it won't be long before malicious actors write exploits and incorporate this into their malware.
To prevent exploitation from BlueKeep, organizations are advised to take these precautionary measures:
1. Patch affected systems. If your organization is running any of the identified vulnerable systems, ensure your patch management team has access to the latest Microsoft security updates and has a timeline to implement immediately.
2. Disable Remote Desktop Protocol (RDP) until security updates have been applied on affected systems.
3. Configure RDP correctly. If your organization requires the use of RDP, avoid external network exposure to the public internet. Only allow access to users while on the Local Area Network (LAN), or filter RDP traffic through the firewall using approved IP addresses.
4. Secure your network with defense-in-depth security solutions that can detect and mitigate attacks on the network level.
TechGuard Security can test for the BlueKeep vulnerability mentioned in this blog and more. We provide organizations with a detailed report that focuses on risk and remediation so that your business can decide where to focus your efforts and how best to resolve these issues. Once you have performed remediation, TechGuard Security can then perform a Validation Re-scan to confirm that your systems are no longer susceptible to the BlueKeep CVE.
Our goal is to continually improve your organization's security program and we do that by creating long-term relationships. Take a look at our service offerings and contact us today so that we can set up a Vulnerability Assessment for this and other known vulnerabilities, as well as provide you with a practice remediation plan.