The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is urging Windows users to update their machines as soon as possible after developing a working exploit for the BlueKeep vulnerability. The CISA has joined Microsoft, the National Security Agency and others in alerting system administrators of the seriousness of the vulnerability, comparing it to the 2017 WannaCry attack.
What is BlueKeep?
BlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows Operating Systems (OSs), including both 32- and 64-bit versions, as well as all Service Pack versions:
- Windows 2000
- Windows Vista
- Windows XP
- Windows 7
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2008
- Windows Server 2008 R2
Microsoft explains the Security Vulnerability as stated below:
“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.”
Essentially, an attacker can exploit this vulnerability to take control of an affected system. BlueKeep is similar to the WannaCry malware attacks of 2017 in that it’s capable of rapidly spreading because the vulnerability is considered “wormable.”
What should I do about it?
Users should follow the recommended mitigations Microsoft and CISA have outlined below:
- Install available patches
- Upgrade end-of-life Operating Systems
- Disable unnecessary services
- Enable network level authentication
- Block Transmission Control Protocol port 3389 at the enterprise perimeter firewall
We encourage our customers and any other Windows users to act immediately. Contact Integrated Axis Group, LLC, at (877)220-1910 to implement the mitigations outlined by Microsoft and the CISA.