Two months ago, Microsoft did something unusual and released security patches for operating systems it no longer supports. This action is rare for Microsoft, so alarm bells go off for security experts when it happens.

The reason for the alarm is vulnerability CVE-2019-0708, nicknamed, “BlueKeep.”

• It’s a remote code execution vulnerability that exists within Remote Desktop Services.
• It’s “wormable.” One infected computer could infect other vulnerable devices without any human interaction.
• Severity scoring is 9.8 out of 10 by Common Vulnerability Scoring System (CVSS).
• BlueKeep involves more systems than the WannaCry ransomware exploit in 2017. (WannaCry did billions of dollars in damage.)

It’s in 32- and 64-bit versions of these Microsoft Windows Operating Systems (all Service Pack versions):

• Windows 2000
• Windows Vista
• Windows XP
• Windows 7
• Windows Server 2003
• Windows Server 2003 R2
• Windows Server 2008
• Windows Server 2008 R2

Security patches will stop the exploit and should be applied immediately!

Since May, Microsoft, security experts, and government agencies across the globe have released urgent warnings and reminders about patching this vulnerability.

Data suggests that there are still at least a million unpatched and vulnerable computers out there connected to the internet. This number doesn’t account for the additional systems within organizations.

If you’re unable to patch immediately, we’re recommending these additional measures.

If you still need to use Remote Desktop Protocol (RDP):

• Enable Network Level Authentication. This security feature creates a credentials requirement.
• RDP is typically open over the internet. Consider using RDP over a VPN to protect it.

If you don’t need RDP or you’re not using it:

• Set up a firewall rule to block TCP port 3389. This change prevents RDP from establishing a connection.
• Disable RDP.

If you have any questions about this vulnerability and your specific services here at Vivio, please let us know!

Resources:

A Reminder to Update Your Systems to Prevent a Worm. (2019, May 30). Retrieved from https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/

Bradbury, Danny. (2019, May 30). A million devices still vulnerable to ‘wormable’ RDP hole. Retrieved from https://nakedsecurity.sophos.com/2019/05/30/a-million-devices-are-vulnerable-to-bluekeep/

Brandt, Andrew. (2019, July 1). BlueKeep PoC demonstrates risk of Remote Desktop exploit. Retrieved from https://news.sophos.com/en-us/2019/07/01/bluekeep-poc-demonstrates-risk-of-remote-desktop-exploit/

Carroll, E., Mundo, A., Laulheret, P., Beek, C. & Povolny, S. (2019, May 21). RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708. Retrieved from https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/

CVE-2019-0708 Remote Desktop Services Remote Code Execution Vulnerability. (2019, May 14). Retrieved from https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Dunn, John E. (2019, June 10). The GoldBrute botnet is trying to crack open 1.5 million RDP servers. Retrieved from https://nakedsecurity.sophos.com/2019/06/10/the-goldbrute-botnet-is-trying-to-crack-open-1-5-million-rdp-servers/

Microsoft Operating Systems BlueKeep Vulnerability. (2019, June 17). Retrieved from https://www.us-cert.gov/ncas/alerts/AA19-168A

NSA Cybersecurity Advisory: Patch Remote Desktop Services on Legacy Version of Windows. (2019, June 4). Retrieved from https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/

Stockley, Mark. (2019, July 1). RDP BlueKeep exploit shows why you really, really need to patch. Retrieved from https://nakedsecurity.sophos.com/2019/07/01/rdp-bluekeep-exploit-shows-why-you-really-really-need-to-patch/

Welcome to Remote Desktop Services. (2017, February 21). Retrieved from https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/welcome-to-rds