Security vulnerability that was discovered in Microsoft’s Remote Desktop Protocol (RDP), that allow for the possibility of remote code execution via BlueKeep. NSA urges to update their system to prevent a re-run of attacks coincide 2017 ransomware outbreaks.
- A wormableremote code execution vulnerability first found in the wild on May 14,2019 with CVE-2019-0708, however Microsoft also warned that the vulnerability is extremely dangerous where it can be weaponized to create a self-spreading exploit. Same type of exploited where linked to WannaCry, NotPetya, and Bad Rabbit.
- BlueKeep is a dangerous vulnerability because it can be executed by bad actors remotely. It is in Remote Desktop Services on older Windows legacy builds such as Windows 7, Windows XP, AND Server 2003 and 2008.
- Microsoft said only Windows 8 and Windows 10 are not vulnerable to the bug. But the bug is so dangerous that Microsoft took the rare step of issuing patches to its long-outdated and unsupported operating systems, including Windows XP.
- Virtual channels used primarily by RDP protocol where pre-configured between client and server for supplying
- 2nd issued warning after two weeks of release fixes determine system administrators were lagging behind with their patching process.
Conclusion and Recommendation
- Release patches on May 14, 2019 forces the aforementioned “MS_T120 to 31 bounded.
- Apply monthly rollup or security only patch.
- Perimeter defense by Block TCP Port 3389 at your firewalls, especially any public facing firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
- Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
- Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.
- Several security firms and anti malware —have claimed to have developed working proof-of-concept code that can at the very least create a denial-of-service condition, such as shutting down a computer. But fear remains that hackers are close to creating code that could trigger another major ransomware attack.