You may remember the Spectre/Meltdown event that shook the security world in the beginning of 2018. Today, we need to inform you about the remote code execution vulnerability CVE-2019-0708, also known as BlueKeep. To exploit this vulnerability, an attacker would need to send a specifically crafted request to the target system’s Remote Desktop Service via RDP.
You might have seen the term “wormable” popping up on the Internet in relation to this vulnerability. What that means is that a malicious actor could release a malware that could potentially exploit the vulnerability and spread itself from computer to computer using the Internet without the need of user interaction, which is how the WannaCry malware spread from system to system.
On May 14th, Microsoft released a patch against this vulnerability for Windows 7, Windows Server 2008, and Windows Server 2008 R2. Microsoft also took a rare action of releasing patches for Windows XP and Windows 2003 as well. However, these patches were not released though their regular Patch Tuesday method. Instead, if you’re still running either of these OSes, you can download the fixes from the Customer Guidance page.
On their security blog, Microsoft warned users to download and apply the patch ASAP, since it is highly likely bad actors will exploit this vulnerability, even though there are no reported cases of such events yet. On May 30th, Microsoft published a follow-up blog post as reminder to the users who hadn’t applied the patches yet. In this post, Microsoft confirmed that there are nearly one million computers connected directly to the Internet that are still vulnerable. Here are the highlights of Microsoft’s follow-up blog post on the issue:
“Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the Internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the Internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise. This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.”
Be Sure to Follow All Security Measures
Microsoft urges their customers on the old systems to apply the patches and take the precautionary measures as recommended by the security experts. The NSA also issued a cyber security advisory on June 4th in order to urge users to apply the patches provided by Microsoft to vulnerable PCs. NSA also recommends the following additional measures:
- Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the Internet. This port is used in RDP protocol and will block attempts to establish a connection.
- Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
- Disable Remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep (CVE-2019-0708) threat.
An Ideal Time to Upgrade
The good news is that if you are already on Windows 10 or Windows 8, you are not affected by the vulnerability since Microsoft has heavily invested in improving the security of modern systems through major architectural updates. This security issue is another reason to make the move to a modern PC with a modern OS.
If you have any questions about the implications of this issue for your environment, reach out to our experts. And we’ll be sure to keep you updated as the story of this vulnerability develops.