BlueKeep: Recognizing & preventing RDP vulnerabilities

Firewalls.com is cracking open our case files to take a closer look at one of the net’s most dangerous suspects: BlueKeep.

Vulnerability Name: BlueKeep

Common Vulnerability & Exposures ID: CVE-2019-0708

Affected Operating Systems:

  • Windows 2000
  • Windows Vista
  • Windows XP
  • Windows 7
  • Windows Server 2003
  • Windows Server 2008

Type of Vulnerability: Remote Code Execution

First Reported: May 2019 by UK National Cyber Security Centre

Summary

BlueKeep is a vulnerability found in Windows Remote Desktop Services. This is a Remote Code Execution (RCE) attack, meaning the attacker is able to run arbitrary code on targeted devices. BlueKeep is a “wormable” exploit that can act as a foothold for active attackers to leverage and launch further malware attacks. This multi-stage strategy of exploiting a vulnerability to gain access and further utilize breaches as a conduit for more serious attacks is growing in popularity, with big-name self-propagating worms like WannaCryptor and the more recent Ryuk attacks coming to mind.

Window’s Remote Desktop Services, which BlueKeep exploits, is a protocol developed by Microsoft which delivers a graphical interface to users while connected to another computer over a network. Also known as “Terminal Service,” Microsoft has included RDP in every version of Windows since XP in 2001. RDP is used by network administrators to remotely connect to a machine in order to diagnose and resolve problems that users encounter. If you’ve ever allowed tech support to “remote in” to your computer, you may have been utilizing Windows Remote Desktop Services to do so.

Securing your network against BlueKeep

A patch for BlueKeep was released on May 14th, 2019. Whereas most patches released by Microsoft are compatible only with supported version of Windows operating systems, CVE-2019-0708 patches were also made available for Windows OS platforms that are no longer supported. This is a very rare occurrence for Microsoft and a sign of the potential havoc BlueKeep could wreak on unprepared systems.

While BlueKeep was initially thought to have the potential to mirror the cyber crises that spiraled out of the EternalBlue exploits of 2017, Microsoft claims to have found no active exploits in the wild utilizing the BlueKeep vulnerability. Sophos created a working proof-of-concept fileless exploit using the vulnerability. Though the code was never released to the public, a video demonstration of the exploit was published, visualizing the potential damage of BlueKeep.

So how should small businesses and network administrators be securing their systems against BlueKeep? As always, your first step should be to install patches! The BlueKeep vulnerability was addressed by Microsoft in May of 2019 for both supported and unsupported operating systems. It is recommended that organizations thoroughly test all patches before installation.

Other steps to ensure your organization is safe against BlueKeep include disabling Remote Desktop Protocol altogether by blocking TCP port 3389, updating outdated or unsupported operating systems, and enabling Network Level Authentication, which requires a user to authenticate a remote session before connecting. Keep in mind, however, these extra steps may add some friction for any organization that routinely makes use of remote desktop services.

Looking to learn more about cyber threats?

Check out our latest podcast on cyber threats with SonicWall’s Dan Kremers and Fortinet’s Douglas Santos as they discuss zombies, botnets, fileless malware, and more in episode 5 of Ping.

You can also browse the Firewalls.com Threat Dictionary, where we dissect all the cyber creepy-crawlies haunting the web.