Almost a million systems are reportedly vulnerable to BlueKeep (CVE-2019-0708), a critical vulnerability in remote desktop services. Microsoft’s Patch Tuesday for May already rolled out patches for BlueKeep, and security advisories were released to help users address the vulnerability. Other vendors have also issued their own patches for mission-critical systems and servers (e.g., ATMs) that need to be constantly run or cannot be rebooted.
The estimate was based on an internet scan of publicly accessible systems susceptible to BlueKeep. Errata Security’s Robert Graham used scanning tools to search for devices whose port 3389, which remote desktop protocol (RDP) uses by default, is exposed. After filtering the search results, Graham found around 950,000 internet-facing systems vulnerable to BlueKeep.
BlueKeep affects Windows Server 2008 and Windows 7, as well as end-of-support Windows Server 2003 and Windows XP.
BlueKeep made headlines given the significant security risk it poses. For one, exploiting BlueKeep does not require user interaction. BlueKeep is also “wormable,” which means threats exploiting this vulnerability can propagate similar to the way attackers used the EternalBlue exploit to infect systems with the notorious WannaCry and Petya/NotPetya.
For critical and high-profile vulnerabilities like BlueKeep, it is a race against time. While there have been no reports of active, in-the-wild attacks, it’s only a matter of time before attackers incorporate a BlueKeep exploit into their malware. In fact, Graham’s report came on the heels of recent news of anomalous activities that security researchers observed to be actively scanning the internet for Windows systems vulnerable to BlueKeep. Security researchers have already come up with proofs of concept and demonstrated working exploits, albeit partially.
Opportunistic attackers and cybercriminals often use an organization’s window of exposure to a vulnerability to compromise its network and the systems connected to it. Here are some best practices that can help users and enterprises reduce their exposure to threats that may exploit BlueKeep:
Patch and keep the system and its applications updated (or employ virtual patching to legacy or end-of-life systems).
Restrict or secure the use of remote desktop services. For example, blocking port 3389 (or disabling it when not in use), can help thwart threats from initiating connections to systems behind the firewall.
Enable network level authentication (NLA) to prevent unauthenticated attackers from exploiting BlueKeep. This can be configured in Windows 7 and Windows Server 2008 (including the R2 version).
Enforce the principle of least privilege. Employing security mechanisms like encryption, lockout policies, and other permission- or role-based access controls provide additional layers of security against attacks or threats that involve compromising remote desktops.
35296: RDP: Microsoft Remote Desktop Services Negotiation Request Without CredSSP
Trend Micro has developed some rules/filters based on our our own analysis of a potential exploit for additional protection. Please note, however, that in the absence of a true, in-the-wild exploit, the effectiveness of a rule or filter of this nature may vary and should not be considered the sole source of protection. Customers are highly encouraged to apply the Microsoft patches where possible, and/or apply the other recommended mitigation strategies recommended. Our security alert provides more information on how Trend Micro solutions protect against this vulnerability.
Updated as of August 15, 2019, 9 a.m. PDT to include additional information on how Trend Micro's solutions protect against the aforementioned vulnerability.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).