Microsoft Operating Systems BlueKeep Vulnerability

Posted by & filed under Ειδοποιήσεις.

Microsoft announced that a vulnerability in Remote Desktop Services was discovered that could allow a wormable malware, such as a ransomware, to easily propogate through vulnerable systems.

This vulnerability, now known as BlueKeep, was given the unique ID of CVE-2019-0708 and affects Windows 7, Windows 2008 R2, Windows Server 2008, Windows XP, and Windows Server 2003. Due to its severity, Microsoft released patches for all supported versions of Windows as well as for Windows XP and Windows Server 2003, which no longer received security updates.

Since then, numerous security vendors and researchers have successfully created proof-of-concept exploits that can exploit this vulnerability. While none of these have been released, it would not be surprising if malware developer and threat actors were working on their own exploits.

As detailed in Microsoft’s security advisory:

  • A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.
  • An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests

How to find Windows systems affected by BlueKeep

  1. RDPScan by Robert Graham (Windows/macOS)

Link for RDPScan: Github: Robertdavidgraham/rdpscan

  1. Metasploit Framework module by Zerosum0x0 and JaGoTu

Link for Metasploit Framework module: Github: zerosum0x0/CVE-2019-0708

 

Mitigations

The agency proposes the following actions to increase resilience until a patch is applied or an upgrade performed:

  1. Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
    1. Suricata detection script can be found on: Github: Cyber-Defence/Signatures/suricata
  2. Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
    • The vulnerability can be partially mitigated by enabling Network Level Authentication (NLA) for Remote Desktop Services Connections on vulnerable systems, an authentication method which “completes user authentication before you establish a remote desktop connection and the logon screen appears. This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software.”
    • Despite this, potential attackers could still abuse the RCE vulnerability if they already have the credentials needed to authenticate on a system where RDS is enabled.
    • Link to enable Network Level Authentication (NLA): Microsoft Docs
  1. Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.
  2. Update the affected systems.

 

The information contained in this website is for general information purposes only. The information is gathered from Microsoft MSRC Portal while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.