On 14 May 2019, Microsoft released fixes for a critical Remote Code Execution vulnerability called CVE-2019-0708 (nicknamed “BlueKeep”). The vulnerability concerns the Remote Desktop Protocol (RDP) – previously called Terminal Services and affects certain older versions of Windows.
BlueKeep could allow an attacker to execute remote code on a vulnerable machine that’s running Remote Desktop Protocol. As the vulnerability is wormable, it could spread extremely rapidly and compromise millions of systems around the world in a very short span of time.
Luckily, it seems that developing a reliable exploit to leverage this vulnerability is not a simple endeavour – so far there is no publicly available exploit code. But development is active, and we’re not far off from it appearing out in the wild for attackers to leverage. By our estimation an exploit will be available in a week at the latest.
To be on the safe side, we urge administrators to fix the flaw on a company-wide scale as soon as possible.
How does BlueKeep differ from other vulnerabilities?
BlueKeep should be taken more seriously than your average security hole. Microsoft’s actions indicate this perfectly: instead of issuing fixes only for the supported versions of their operating system (Windows 7, Windows Server 2008 R2, Windows Server), they also extended coverage to Windows XP, Windows Vista and Windows Server 2003. Systems that run Windows 8 and 10 are not affected by BlueKeep.
In their statement, Microsoft directly references the infamous WannaCry and NotPetya attacks that occurred in 2017. Both exploited a similar wormable vulnerability in a widely-used protocol (SMB), which ended up affecting an estimated 200,000 systems in roughly 150 countries, with financial damages totaling hundreds of millions.
Here’s the current run-down of the situation, organized by infosec expert Kevin Beaumont who originally coined the term “BlueKeep”:
- Multiple security firms have created partially working exploits, but haven’t (of course) released any technical details.
- The code and information needed to reach the trigger of the flaw (but not the exploitation) is available online.
- Some scammers are selling fake exploits.
- IDS/IPS vendors have released rules that can detect the exploitation
What should you do about BlueKeep?
1. Keep calm and start patching – but do it quickly.
First, focus on patching externally facing RDP servers, then move on to critical servers such as domain controllers and management servers.
Finally patch non-critical servers that have RDP enabled, along with the rest of the desktop estate. You can find more information on applying the patch from Microsoft’s support pages.
F-Secure Radar users can identify vulnerable hosts using an Authenticated Scan. For faster scan resolution:
Limit the number of ports scanned to only those required to authenticate to the host: TCP 445 (SMB / CIFS) , TCP 135 (RPC) and TCP 5986 (WinRM).
Select only plugin 1013880 to activate Windows Authenticated scan-related plugins.
2. Mitigate the vulnerability in order to buy more time for patching.
- Enable Network Level Authentication
Network Level Authentication (NLA) can be used to partially mitigate this vulnerability. Enabling NLA will force attackers to have valid credentials in order to perform RCE. F-Secure Radar users can scan hosts with plugin 100612 (“Network Level Authentication for RDP is not Enforced”) to detect hosts without NLA enabled. For faster scan resolution, use only this plugin to pinpoint the affected hosts. - Block TCP port 3389 at the enterprise perimeter firewall
TCP port 3389 is used to initiate a connection with the affected system. Blocking this port with a firewall, preferably at the network perimeter level, will help to protect systems that are within the secured network. F-Secure Radar users can scan for affected hosts with open TCP port 3389 using a network scan. For faster scan resolution, scan only for this port in order to pinpoint the affected hosts. - Disable Remote Desktop Services if they are not required
In case you do not need these services in your environment, consider disabling them. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities, and is a security best practice.