Pierluigi Paganini June 18, 2019

The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. DHS on Monday issued an alert for the BlueKeep Windows flaw (CVE-2019-0708).

After Microsoft and the US NSA, the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. DHS on Monday issued an alert for the BlueKeep Windows flaw (CVE-2019-0708).

Experts at the CISA Agency successfully exploited the BlueKeep flaw on a machine running Windows 2000. The agency urges Microsoft users and administrators to install security patches, disable unnecessary services, enable Network Level Authentication (NLA) if available, and block TCP port 3389.

Below an excerpt from the security advisory:

“CISA encourages users and administrators review the Microsoft Security Advisory [3] and the Microsoft Customer Guidance for CVE-2019-0708 [4] and apply the appropriate mitigation measures as soon as possible:

• Install available patches. Microsoft has released security updates to patch this vulnerability. Microsoft has also released patches for a number of OSs that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003. As always, CISA encourages users and administrators to test patches before installation.”

For OSs that do not have patches or systems that cannot be patched, other mitigation steps can be used to help protect against BlueKeep:

• Upgrade end-of-life (EOL) OSs. Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10.
• Disable unnecessary services. Disable services not being used by the OS. This best practice limits exposure to vulnerabilities.  
• Enable Network Level Authentication. Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. Doing so forces a session request to be authenticated and effectively mitigates against BlueKeep, as exploit of the vulnerability requires an unauthenticated session.
• Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall. Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network. However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Many security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Experts believe that it just a matter of time before we will see threat actors exploiting the flaw in the wild.

“Right now, it is only a matter of time until someone publishes a working exploit or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and also a lucrative asset for its originator,” reads the post published by ESET.

“BlueKeep will also show if organizations around the world learned a lesson after the large 2017 outbreaks and improved their security posture and patching routines.”

It has been estimated that roughly one million devices are vulnerable to attacks exploiting the BlueKeep Windows vulnerability and hackers are ready to hit them.

Most of the vulnerable systems are in China, followed by the United States.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

Don’t waste time, patch your system!

Pierluigi Paganini

(SecurityAffairs – BlueKeep, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]