BlueKeep, the Microsoft RDP vulnerability – What we know so far

Jul 23, 2019 • Ioana Rijnetu

Categories:

BlueKeep is a critical security flaw found in Microsoft Remote Desktop Services that was making the headlines for the past two months. In this article, we explore the key facts about this vulnerability.

The first thing to know about BlueKeep is that it “is wormable and any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer”, said the Microsoft Security Response Center. This means that it could easily cause widespread infection with no user interaction required.

As a consequence, BlueKeep has the potential to pose a threat similar to the WannaCry ransomware, one of the biggest cyberattacks to date, which spread rapidly and infected more than 300.000 computers worldwide.

Here’s what you’ll find in the article:

Key facts: Here’s what happened

To better understand the evolution of this vulnerability and its real impact, we’ve put together all the essential and relevant facts (and data) we know about BlueKeep.

First days of May- The vulnerability was initially reported by the UK’s National Cyber Security Centre (NCSC) to Microsoft.

May 14, 2019- Shortly after this, Microsoft disclosed it (by crediting the National Cyber Security Centre) and released an emergency parch for BlueKeep, the critical Remote Code Execution vulnerability, which was officially known as CVE- 2019-0708

May 17, 2019 - A few days later, in a weekly threat report, UK’s National Cyber Security Centre urged both organizations and individuals to apply Microsoft’s security patches immediately and prevent from being compromised.

May 23, 2019 - Two security researchers have released an unauthenticated scanner Proof-of-Concept for BlueKeep that can detect if a host is vulnerable to the Microsoft Windows Remote Desktop Service vulnerability. For more in-depth technical details and how to avoid DoS (Denial-of-Services) attack, you can read the full article.

May 28, 2019 - Security researchers from Eratta Security used an internal scanning tool, which looks for port 3389, the one used by RDP for remote access. They discovered that there are around 950,000 vulnerable machines on the Internet vulnerable to this bug.

According to the Internet Storm Center(ISC), a program held by The Sans Institute and responsible for monitoring the level of malicious activity on the internet, it was not observed a big increase in port 3389/TCP scanning. However, ISC pointed out: “This port is scanned rather heavily even without a new vulnerability drawing attention to it”.

Attack activity for Port 3389

Using an online port scanner tool helps you easily discover which network services are exposed to the Internet and get an overview of the network attack surface that includes open TCP ports and services.

May 30, 2019 - Two weeks later, after Microsoft initially issued the security fix for Bluekeep, the company came back and stressed the importance of installing the latest updates for the affected systems.

June 4, 2019 - Another advisory came from the National Security Agency which strongly recommended Microsoft Windows administrators and home users to apply and use the latest software patches available to avoid becoming easy targets.

On the same day, the CERT Coordination Center ar Carnegie Mellon University reported another related Microsoft Windows RDP security vulnerability (known as CVE-2019-9510) which can allow an attacker to remotely bypass the Windows lock screen. More (technical) details can be found here.

June 17, 2019 - This advisory was followed by security specialists from the Cybersecurity and Infrastructure Security Agency institution (CISA) which issued an Activity alert for Windows users and administrators to patch the critical security flaws and follow “the appropriate mitigation measures as soon as possible”. Homeland Security’s cyber agency said that it has tested a working BlueKeep remote code execution exploit and concluded that Windows 2000 machines are also vulnerable to this flaw.

July 1, 2019 - Security researchers from Sophos have developed a Proof-of-Concept exploit (not available to the public) in which they show a demo video on how malicious actors can exploit the BlueKeep vulnerability against RDP servers and why it is a serious threat, urging individuals and organizations to patch their systems ASAP.

July 23, 2019 - A US-based company, Immunity Inc., has released a working BlueKeep exploit called CANVAS 7.23 which is a new module part of their penetration testing toolkit. You can see the video demonstration here.

Technical details about BlueKeep

The root cause of BlueKeep seems to be a Use After Free(UAF) condition which exists within the termdd.sys RDP kernel driver, and can be exploited remotely by an unauthenticated attacker.

The attacker can perform this by trying an RDP connection to the target server, opening the “MS-T120” virtual channel in order to send crafted data to it.

The code hasn’t been released publicly, but this recent technical writeup describes how to exploit the BlueKeep vulnerability. You can also find here a track of the BlueKeep scanners and exploits found so far.

At the 2019 Security Development Conference held in China, a security researcher showed a presentation on how to exploit BlueKeep.

Here’s another demo video below showing how the vulnerability can be exploited in order to obtain a system shell on the vulnerable machine with NT AUTHORITY\SYSTEM privileges.

This remains to be used only for testing and educational purposes and not against targets, but it proves that with little effort and some technical skills, the vulnerable machines can be exploited if they don’t have the latest patches applied.

For those who want to dive deeper into more technical details, we also recommend checking out this analysis from MalwareTech.

While there’s no evidence of public exploit to emerge, other security professionals have also been working on developing their own PoC exploits: here and here for the BlueKeep vulnerability, to raise awareness and help both organizations and regular users to bolster their defenses.

Regarding the affected Windows machines, the list includes older versions of Microsoft system, such as:

• Windows 2003

• Windows XP

• Windows 7

• Windows Server 2008

• Windows Server 2008 R2

Security updates for these platforms that are no longer supported by Microsoft can be found here and we recommend applying them promptly.

Computers running Windows 8 and Windows 10 are not affected by this vulnerability, as well as the newest versions of Windows.

Security measures to apply for protecting your data

Here’s what we recommend organizations and users to avoid being exposed to the BlueKeep vulnerability:

  1. Install the latest security updates regularly that will help minimize the chances for hackers to discover vulnerabilities in your systems and exploit them to compromise sensitive data. Patches are available for download here.
  2. Restrict (as much as possible) access or disable (if not used) Remote Desktop Services to reduce exposure to this security flaw.
  3. Create and use firewalls to restrict Remote Desktop access so that only a specific IP address can have access to a particular device. Instead, try an RDP gateway, which offers additional layers of protection.
  4. Enable Network Level Authentication which offers extra authentication measures and enhance security so attackers don’t log in easily.

Final thoughts

Probably one of the key lessons that we should learn from the BlueKeep vulnerability is the importance of installing security patches and updating computer systems regularly.

There are some concerns amongst security professionals who believe a ransomware outbreak similar to WannaCry could be imminent in the upcoming weeks or months. That’s why they strongly advise and remind both companies and home users to keep updating their Windows systems in a timely manner.

While more than two months have passed since the wormable Windows Remote Desktop flaw has been unveiled, there are still approximately 805,665 systems unpatched and vulnerable to BlueKeep, according to the research team from Bitsight.

Let’s keep in mind that security should be on everyone’s agenda and a top priority to better securing all our digital assets.