BlueKeep Vulnerability Threat Is Real
In 2017 we said, “By now everyone knows about WannaCry and the problem with unpatched systems. But, what happens when the next Windows vulnerability is released, and no patch is issued on an end-of-life product?” That moment may be here.
According to a security advisory published by Microsoft on May 14th, 2019 CVE-2019-0708 impacts Remote Desktop Services, formerly Terminal Services, and is more likely exploitable in older versions of Windows (various 32-bit and x64 versions of Windows 7 and Windows Server 2008) using the RDP protocol without authentication or user interaction and ranges from High to Critical severity (CVSS scoring). Microsoft issued updates for all affected systems including Windows XP and Windows Server 2003 saying that this vulnerability “…could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”
Remote Desktop Services is a critical tool used by IT teams to interact with remote Windows workstations and servers. Restricting or disabling it is a security best practice. According to Microsoft, the vulnerability does not require authentication or user-interaction to exploit, which makes it much easier to execute a stealthy remote attack successfully.
Similarities to the WannaCry Outbreak
This latest vulnerability and Microsoft’s rapid response are eerily similar to the events surrounding the outbreak of WannaCry. ICYMI, WannaCry devastated businesses around the world, causing billions of dollars in damage. enSilo protected against WannaCry out of the box. One of the primary reasons why WannaCry spread so quickly was the gap between when exploits became available, and the time it took to secure vulnerable Windows workstations and servers either by restricting SMB-based communications or installing patches.
enSilo issued the following warning in 2017 during the WannaCry outbreak:
“By now everyone knows about WannaCry and the problem with unpatched systems. But what happens when the next Windows vulnerability is released, and no patch is issued on an end-of-life product?” Well, that moment has partially arrived. The vulnerability is out there; however, the difference is that patches are available for affected supported and unsupported versions of Windows.”
Patching Takes Time — Giving Attackers the Advantage
There are many reasons why it takes time to deploy patches successfully. These range from testing the patch in a lab to ensure it doesn’t disrupt anything, to scheduling installation so that the patch doesn’t disrupt operations. All of which takes time and resources. Hoping that attackers don’t notice your systems haven’t been patched isn’t a successful strategy. The lesson we can learn from WannaCry and other major malware outbreaks is that immediately implementing additional security controls to prevent and detect attacks is critical.
Unsupported Versions of Windows May Be Difficult to Patch
Despite the official end of support for Windows XP and Windows Server 2003 and the lasting effects of the WannaCry outbreak, it’s likely there are still millions of active computers running those versions. Also, they might be in hard to reach places where it’s difficult to either automatically or manually install a patch. Alternatively, they might have been forgotten, left to run unattended. Either way, WannaCry proved how easy it is to discover these systems. Microsoft is worried enough about this possibility given the effort expended in crafting and publishing patches for unsupported versions of Windows. Another moment may have arrived where those systems are once again both vulnerable and difficult to patch and may represent a severe risk.
enSilo recommends either restricting or disabling Remote Desktop Services until patching of all impacted systems is complete. Given that it is a valuable administrative tool and that patching takes time, this is easier said than done. Our Threat Intelligence team is monitoring for new exploits in the wild which target CVE-2019-0708 and researching possible attack methods.
Andy Singer is VP of product marketing at enSilo, an MSSP-friendly and channel-centric provider of real-time automated endpoint security and orchestrated incident response. Read more enSilo blogs here.