Understanding the Wormable RDP Vulnerability


Understanding the Wormable RDP Vulnerability

Nicknamed BlueKeep, a critical remote code execution vulnerability affects some old versions of Windows.

On 14 May 2019, Microsoft released fixes for a critical Remote Code Execution vulnerability calledCVE-2019-0708 (already nicknamed”BlueKeep”). The vulnerability concerns Remote Desktop Services (before that called Terminal Services) that affectscertainolderversions of Windows.

CVE-2019-0708 could allow an attacker to execute remote code on a vulnerable machine that’s running Remote Desktop Protocol (RDP). As the vulnerability is wormable, it could spread extremely rapidly and compromise millions of systems around the world in a very short span of time.

It seems that developing a reliable exploit to leverage this vulnerability is not a simple endeavor – so far there is no publicly available exploit code. But development is active, and we’re not far off from it appearing out in the wild for attackers to leverage.

This RDP Vulnerability (BlueKeep) should be taken more seriously than your average security hole. Microsoft’s actions indicate the severity of the threat because it has taken the extra step of not only issuing fixes for the currently supported versions of their operating system (Windows 7, Windows Server 2008 R2, Windows Server), but they also extended coverage to Windows XP, Windows Vista and Windows Server 2003.  Systems that run Windows 8 and 10 are not affected by CVE-2019-0708.

The scary thing is this vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

While this vulnerability seems to only target retired systems, the fact is that there are still tens of millions of legacy machines running Windows XP and Windows Server 2003, many of which are also internet-facing. For example, Windows XP—released in 2001—still has a 3.57% market share—which means that even though this vulnerability targets, among others, an operating system that is 18 years old, it still not only poses a tremendous risk for the various entities using these platforms, but for the public as a whole due to its potential for wormability and the fact that many of these devices may still be located in critical locations.

What You Should Do About BlueKeep

  1. Focus on patching externally facing RDP servers, then move on to critical servers such as domain controllers and management servers. Finally patch non-critical servers that have RDP enabled, along with the rest of the desktop estate. You can find more information on applying the patch from Microsoft’s support pages.
  2. Enable Network Level Authentication. Network Level Authentication(NLA) can be used to partiallymitigatethis vulnerability. Enabling NLA will force attackers to have valid credentials in order to perform RCE.
  3. Block TCP port 3389 at the enterprise perimeter firewall. TCP port 3389 is used to initiate a connection with the affected system. Blocking this port with a firewall, preferably at the network perimeter level, will help to protect systems that are within the secured network.
  4. Disable Remote Desktop Services if they are not required. In case you do not need these services in your environment, consider disabling them. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities and is a security best practice.

Microsoft’s support site provides additional guidance and links to the security updates.

To be on the safe side, we urge administrators to fix the flaw on a company-wide scale as soon as possible.  If you have any question, please reach out to our support team.

NSA Advisory

No Comments

Post a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Steve’s been with SMB Suite since 1998 and has been involved with nearly every aspects of the Company’s business as a strategist, professional services executive, cloud solutions architect, and senior consultant. In his current role, Steve is responsible for SMB Suite’s revenue and oversees the execution of ERP, CRM and BI projects for customers across a broad range of industries. Steve combines his expertise in MS Dynamics GP, CRM and other Microsoft products with a strong foundation in accounting and business to identify gaps and streamline customers’ processes. Prior to co-founding SMB Suite, Steve was previously Corporate Controller for MEHLE Behr and, prior to that, Audit Senior for Ernst & Young. Steve holds a Bachelor of Business Administration degree from the University of Texas at Arlington.

Jeremy is responsible for SMB Suite’s technology vision, strategy and implementation and is the architect of the Company’s Dynamics Cloud Platform. Highly adept in every facet of managed services, ERP systems and e-commerce platforms, Jeremy’s expertise spans the implementation and support of business and financial software solutions, as well as the customization and integration of SMB Suite’s cloud ERP technology stack. He holds numerous Microsoft and industry-related certifications, and was primarily responsible for designing the Company’s progressive business services platform in the early days of the Cloud. Prior to SMB Suite, Jeremy served as the financial analyst, systems administrator, and information systems liaison for a $2 billion financial services corporation.

Monty is responsible for SMB Suite’s day-to-day operation and, most importantly, its customers. As a leader, motivator and mentor, Monty creates loyal high performance teams willing to “walk through walls” to accomplish their goals. Prior to SMB Suite, Monty served as President of The Bradshaw Group (TBG), a global distributor, manufacturer, and repair facility for digital printers. In this role, he was the Company’s ambassador to its most important domestic, European and Latin American customers and TBG achieved a best-in-class Net Promoter Score of 74 for its superb customer satisfaction. Prior to TBG, Monty served as the General Manager of Sam’s Clubs three highest grossing U.S. stores and was named Regional Operator of the Year in 1999. Monty holds a BBA in Marketing from Texas Tech University and is an active member of Business Navigators. He has been active in Vistage International, Executives in Action, the Dallas/Fort Worth Retail Executives Association, as well as, A.P.I.C.S., the leading professional association for supply chain and operations management. Monty also volunteers with Hunger Busters and ManeGait, a therapeutic horsemanship organization.

David is a proven financial and information technology professional with expertise in providing business accounting software and computing solutions. He began his career by starting and managing a successful independent consulting practice for several years. He then launched the local systems consulting unit of Ernst & Young’s Entrepreneurial Services Group, leading the office into the hi-tech consulting arena. After successfully developing the unit for Ernst & Young, David founded NextCorp (which became SMB Suite in 2013) to serve the business software needs of clients throughout the US. David has made SMB Suite one of the best cloud ERP providers in the industry. In addition to being a successful entrepreneur and leader, he is a software and technology specialist, holding certifications in various Microsoft and other technologies.