Microsoft announced that a vulnerability in Remote Desktop Services was discovered that could allow a wormable malware, such as a ransomware, to easily propogate through vulnerable systems.
This vulnerability, now known as BlueKeep, was given the unique ID of CVE-2019-0708 and affects Windows 7, Windows 2008 R2, Windows Server 2008, Windows XP, and Windows Server 2003. Due to its severity, Microsoft released patches for all supported versions of Windows as well as for Windows XP and Windows Server 2003, which no longer received security updates.
Since then, numerous security vendors and researchers have successfully created proof-of-concept exploits that can exploit this vulnerability. While none of these have been released, it would not be surprising if malware developer and threat actors were working on their own exploits.
As detailed in Microsoft’s security advisory:
- A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.
- An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests
How to find Windows systems affected by BlueKeep
- RDPScan by Robert Graham (Windows/macOS)
Link for RDPScan: Github: Robertdavidgraham/rdpscan
- Metasploit Framework module by Zerosum0x0 and JaGoTu
Link for Metasploit Framework module: Github: zerosum0x0/CVE-2019-0708
The agency proposes the following actions to increase resilience until a patch is applied or an upgrade performed:
- Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
- Suricata detection script can be found on: Github: Cyber-Defence/Signatures/suricata
- Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
- The vulnerability can be partially mitigated by enabling Network Level Authentication (NLA) for Remote Desktop Services Connections on vulnerable systems, an authentication method which “completes user authentication before you establish a remote desktop connection and the logon screen appears. This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software.”
- Despite this, potential attackers could still abuse the RCE vulnerability if they already have the credentials needed to authenticate on a system where RDS is enabled.
- Link to enable Network Level Authentication (NLA): Microsoft Docs
- Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.
- Update the affected systems.
- Microsoft’s update link: Microsoft MSRC Portal