• ‘Wormable’ Microsoft vulnerability: BlueKeep

    Posted on June 14, 2019 by in News, Security
    Photo from Techapeek.com

    Blog by Linda Lingle, CISSP, PMP

    CSB Technology Partners Security Analyst

    BlueKeep

    Have RDP open to the outside?  You may want to close that. 

    Last month’s Microsoft Patch Tuesday was more critical than most.  All Microsoft Patch Tuesday’s are important, but this one is worth getting out of your chair and doing the patch…now.

    Important enough that Microsoft is putting out patches for old operating systems no longer under support like Server 2003, XP and Vista.  https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708

    What is RDP?

    Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.he machine that exceeds administrative level control.

    Why is BlueKeep a Big Deal?

    RDP is vulnerable to remote code execution that is pre-authentication and requires no user interaction.  Which means it’s “wormable” – easily spread from one machine to another (remember WannaCry? Yeah, just like that.) According to CVE-2019-0708, “an attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.  An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”  Absolutely scary stuff.   The CVE acknowledges the UK National Cyber Security Centre (NCSC) part of the UK Government Communications Headquarters (GCHQ). 

    Even the “Beers with Talos” podcast went into detail: “When Microsoft issues a vulnerability provided by a national government security organization like the NSA or GCHQ – PATCH, like RIGHT NOW – PATCH.” https://blog.talosintelligence.com/2019/05/beers-with-talos-ep-54-patch-after.html 

    Steps You Should Take:

    According to the CVE, Microsoft suggested enabling Network Level Authentication (NLA) on Windows 7, Server 2008 and 2008R2.   Enabling NLA will block unauthenticated attackers from exploiting this vulnerability.  However, these operating systems are under support and should be patched immediately.

    Block TCP port 3389 at the perimeter Firewall.  Email us at mailto:support@csbtech.net if you want help with this!

    Cisco Talos has added rules to prevent the exploitation of this CVE to Snort and Firepower.  https://blog.talosintelligence.com/2019/05/firepower-encrypted-rdp-detection.html

    Microsoft June Patch Tuesday

    While you are testing Microsoft’s May’s patches, go ahead and get June’s patches as well.  There were 19 critical vulnerabilities, 8 of which seem to be memory vulnerabilities in Edge. 

    One is for Hyper-V: a remote code execution vulnerability that would let someone execute arbitrary code on a guest operating system.  Another is a remote code execution vulnerability for ActiveX data objects handling in memory. 

    Related Links:

    https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

    https://blog.talosintelligence.com/2019/05/MS-Patch-Tuesday-May-2019.html

    https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/

    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708