If you haven’t yet patched the BlueKeep RDP vulnerability, do so now
There is still no public, working exploit code for CVE-2019-0708, a flaw that could allow an unauthenticated remote attacker to execute remote code on a vulnerable target running Remote Desktop Protocol (RDP).
But, as many infosec experts have noted, we’re not far off from when one is created and leveraged by attackers in the wild. With the vulnerability being wormable, when it hits, the exploit could end up compromising millions of systems around the world, in homes and enterprises.
Why the hurry?
If you’re wondering just how critical this vulnerability is, Microsoft’s reaction is a good indication: the company issued fixes for it not just for the supported Windows versions (Windows 7, Windows Server 2008 R2, Windows Server) but also for Windows XP, Windows Vista and Windows Server 2003, which are still widely used but no longer receive mainstream support. (Systems running Windows 8 and Windows 10 are not vulnerable).
A similarly wormable vulnerability in another widely used protocol (SMB) has been the vehicle for the infamous 2017 WannaCry and NotPetya attacks, and the infosec community is worried we’re in for a repeat with CVE-2019-0708.
Infosec expert Kevin Beaumont, who dubbed the flaw “BlueKeep”, is keeping on top of the developments tied to it. The situation at the moment is as follows:
- Several security companies have created partial working exploit, but have, understandably, not released technical details
- Code and knowledge to reach the trigger of the flaw (but not exploitation) is available online
- Scammers are selling fake exploits
- IDS/IPS vendors have pushed out rules that can detect exploitation
- An unauthenticated BlueKeep network scanner tool has been released and so has a Metasploit module for unauthenticated checking for the vulnerability.
“It does appear non-trivial to develop a reliable remote code execution exploit for this vulnerability, which will hopefully get us a few more days until one is publicly available. However, exploit development is active, and I don’t think you have more than a week,” noted Johannes Ullrich, dean of research at the SANS Technology Institute and SANS ISC handler, and urged administrators to fix the flaw enterprise-wide before the long weekend starts (it’s Memorial Day in the US on Monday, as well as a Spring Bank Holiday in the UK).
What can you do?
If at all possible, implement the patches that Microsoft has provided.
UK’s National Cyber Security Centre, which reported BlueKeep to Microsoft, advised organizations to focus on patching first external facing RDP servers, then critical servers such as domain controllers and management servers, and then non-critical servers with RDP enabled and the rest of the desktop estate.
If that’s not possible, there are several other mitigations available:
- Disable RDP services if they are not required
- Block port 3389 (standard RDP port) at the enterprise perimeter firewall or configure RDP to be only accessible via a VPN or via devices on the LAN
- Deploy IDS/IPS rules to detect the exploit (though Ullrich warns that they might not work due to traffic encryption)
- Enable Network Level Authentication (NLA) – this is a partial mitigation, as affected systems are still vulnerable to RCE exploitation if the attacker can authenticate with valid credentials.
“Being vulnerable exposes two fundamental weaknesses in your network: You are still running Windows 7 (or XP??), and you are exposing RDP. Neither is good, and both issues need to be addressed. With this focus on RDP, there is a good chance that additional vulnerabilities will be found in the next few months. If this is true, then fire drills will continue until you can get these two issues resolved,” Ullrich pointed out.
“Upgrading from Windows 7 to 10 and upgrading from Windows Server 2008 should already be underway, so you may just accelerate what you are already doing. If you still run Windows XP: There better be a very good reason for it, and I hope that you have those systems adequately protected.”
UPDATE (May 23, 2019, 12:42 p.m. PT):
There’s been a crowdsourced exploit development process with a sprinkle of reused nation state hacking ideas and basically the barrier to entry to exploit this is crumbling.
Keep calm and patch on – maybe a bit faster.
— Kevin Beaumont (@GossiTheDog) May 23, 2019