Hopefully for most of you, this is old news, but I know how busy everyone gets, especially this time of year with the end of school coming upon us. So, in case you missed it Microsoft RDP has been back in the news again as the source in yet another serious vulnerability – dubbed BlueKeep - that could cripple our networks.
Microsoft under CVE-2019-0708 - Remote Desktop Services Remote Code Execution Vulnerability elaborates on the issue this way:
“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.”
Reaction to the BlueKeep vulnerability has been fairly “loud” and significant.
In addition to the normal CISA alerts, the NSA took the unusual step of issuing its own alert:
A number of security tools vendors have released specific tools to scan systems to confirm vulnerability or lack thereof to this specific exploit.
Microsoft released required patches for all currently support OS’s but also took the extraordinary step of releasing patches for discontinued and unsupported versions of its OS’s (Windows XP, Windows Server 2003, Windows Vista) that they were aware are still running in certain environments. If needed (and why would you still need them?) the downloads for these unsupported OS’s can be found here:
The message from all these folks is to patch your Windows systems now!
Several researchers have pointed out that this exploit does not require any particularly special skills or knowledge to implement.
While you may feel fairly comfortable with your security posture as it relates to Internet attacks if you don’t have RDP open via your firewall, you still might have a fairly high-risk exposure if you have a large population of unpatched systems on your internal network. A clever internal user – (middle school or high school student?) or some other piece of malware that gained a foothold inside could take advantage of this exploit to race through and wreak havoc on your network.
So, if you have not already patched all your Windows systems for this vulnerability please stop reading this tech tidbit, proceed to the following advisory information:
and patch all your vulnerable Windows systems now.