Remember the panic that hit organizations around the world on May 12th, 2017 when machine after machine displayed the WannaCryptor ransom screen? Well, we might have a similar incident on our hands in the coming days, weeks or months if companies don’t update or otherwise protect their older Windows systems right away. The reason is BlueKeep, a 'wormable' critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading malware. A patch by Microsoft for supported, as well as some unsupported, operating systems has been available since May 14th.
The BlueKeep vulnerability was found in Remote Desktop Services (also known as Terminal Services). If successfully exploited in the future, it could enable access to the targeted computer via a backdoor with no credentials or user interaction needed.
To make the bad news even worse, the vulnerability is ‘wormable’. This means that future exploits might use it to spread malware within or outside of networks in similar ways to what was seen with WannaCryptor.
Following Microsoft’s release of these latest patches, security researchers were able to create several working proofs-of-concept, but at the time of writing, none of these have been publicly released and there are no known cases of the flaw being exploited in the wild.
The flaw, listed as CVE-2019-0708, affects multiple in-support and out-of-support versions of Microsoft’s operating systems. Users of Windows 7, Windows Server 2008 R2, and Windows Server 2008 with automatic updates enabled are protected. Microsoft also issued special updates for two non-supported versions – namely Windows XP and Windows Server 2003 – which are available via this site. Windows 8 and Windows 10 are not affected by the vulnerability.
Microsoft has not released patches for Windows Vista, despite this version also being affected by the vulnerability. The only solution here is to disable Remote Desktop Protocol (RDP) completely or only allow its use when accessed via VPN.
It is important to note that any company using misconfigured RDP over the internet is putting its users and resources at risk. Apart from vulnerabilities such as BlueKeep, attackers also try to brute force their way into company machines and internal systems.
The BlueKeep case bears a strong resemblance to the events from two years ago. On March 14th, 2017, Microsoft released fixes for a wormable vulnerability in the Server Message Block (SMB) protocol, advising all users to patch their Windows machines immediately.
The reason for this was the EternalBlue exploit – a malicious tool allegedly designed by and stolen from the National Security Agency (NSA) – which targeted the SMB loophole. A month later, EternalBlue leaked online and in a few weeks became the vehicle for the two most damaging cyberattacks in recent history – WannaCry(ptor) and NotPetya (Diskcoder.C).
A similar scenario might unfold with BlueKeep given its wormable nature. Right now, it is only a matter of time until someone publishes a working exploit or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and also a lucrative asset for its originator.
BlueKeep will also show if organizations around the world learned a lesson after the large 2017 outbreaks and improved their security posture and patching routines.
To sum it up, organizations and users are advised to:
- Patch, patch, patch. If you or your organization run a supported version of Windows, update it to the latest version. If possible, enable automatic updates. If you are still using unsupported Windows XP or Windows Server 2003 – for whatever reason – download and apply the patches as soon as possible.
- Disable Remote Desktop Protocol. Despite RDP itself not being vulnerable, Microsoft advises organization to disable it until the latest patches have been applied. Further, to minimize your attack surface, RDP should only be enabled on devices where it really is used and needed.
- Configure RDP properly. If your organization absolutely must use RDP, avoid exposing it to the public internet. Only devices on the LAN, or accessing via a VPN, should be able to establish a remote session. Another option is to filter RDP access using firewall, whitelisting only a specific IP range. The security of your remote sessions can be further improved by using multi-factor authentication.
- Enable Network Level Authentication (NLA). BlueKeep can be partially mitigated by having NLA enabled, as it requires the user to authenticate before a remote session is established and the flaw can be misused. However, as Microsoft adds, “affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.”
- Use a reliable multi-layered security solution that can detect and mitigate the attacks exploiting the flaw on the network level.