BlueKeep: Cutting through the Hype
by Simon Hall, Senior Security Engineer at Digital Shadows
Over the last week, we have all been tuning into our news feeds and listening to the security folks chatting about the next super vulnerability, CVE-2019-0708
. There’s no shortage of coverage over the issue and the potential impact once a working proof of concept or full-blown exploit hits the shelves in a repository near you.
Amid all of this, I want to outline what it actually means for your organization, and what can you do to reduce the risk.
Let’s get to grips with the basics.
What is RDP?
RDP, or Remote Desktop Protocol, is a service which commonly runs on TCP port 3389 on Windows workstations and servers, and is used to administer them remotely. The service is prevalent within mid-sized and large networks, where an administrator (or user) needs to access multiple computers without having to keep jumping between desks and server rooms.
What is BlueKeep?
BlueKeep is the name given to the vulnerability, which was reported to Microsoft by the UK’s National Cyber Security Centre. Microsoft’s May cumulative update contains many security updates, including a critical update for a vulnerability in the RDP service, where a crafted series of requests to the service could be used to perform remote code execution or crash the service causing a denial of service.
The name BlueKeep was later given to the vulnerability which is technically referenced by the Common Vulnerabilities and Exposures ID (CVE-2019-0708).
The following is a list of the reportedly affected Microsoft Windows releases:
- Windows 7
- Windows Server 2008
- Windows XP
- Windows Server 2003
Keep in mind that both Windows Server 2003 and Windows XP are both legacy and out of support, meaning that, in theory, they should never receive updates. However, like with the vulnerability exploited by ETERNALBLUE (CVE-2017-0144) back in 2017, they have both received updates addressing BlueKeep – indicating how seriously Microsoft is taking this issue.
As of yet, there are no publicly available working proof of concepts or full exploits for BlueKeep, however it will most certainly arrive soon. Just today, MalwareTech
released a video claiming to have developed a working POC, although he has stated he will not release the code. Furthermore, there are multiple cybersecurity research outfits that claim to have reversed the Microsoft patch and developed working exploits, such as Zerodium
, and Qihoo360
Why the WannaCry Comparison?
Almost 2 years ago, the WannaCry outbreak caused significant damage to organizations around the world, causing losses of up to £100,000,000 for the UK NHS alone.
Well, why the WannaCry comparison? The WannaCry malware was built around an exploit known commonly as ETERNALBLUE, an exploit that targeted several vulnerabilities in SMB servers, most notably CVE-2017-0143. Once a vulnerable service was identified, the malware would exploit the weakness to establish a foothold and then use that to relaunch itself to another target, moving through the network like a worm.
While EternalBlue exploited SMB services, BlueKeep is a vulnerability in RDP (Remote Desktop Protocol). The information disclosed so far indicates that once BlueKeep is exploited successfully it may either be used to:
- Cause a Denial of Service against the target, causing a Blue Screen of Death (BSoD)
- Allow remote code execution with system level privileges on the host.
Remote code execution would provide an attacker with full unrestricted access to the target. With full access to the system, it’s anyone’s guess what an attacker might use it for. Ransomware and/or data collection are two possible options, and a large scale campaign ransomware could be an effective money-maker.
WannaCry’s worm-like lateral movement meant that it would gain a foothold on one system and then look for other vulnerable targets on the network, and so on. A piece of malware able to exploit BlueKeep would easily be able to achieve similar results.
Publicly Exposed Services
WannaCry initially identified hosts running SMB services on the internet and then used this to burrow into the internal network where it continued to spread and scan for other targets internally and externally. If there weren’t so many publicly-exposed SMB services without any form of access controls in place, we may not have seen such a wide spread of the issue. The level of exposure for RDP is also unnervingly high, with an excess of 2.3million RDP services being identified on Shodan (see below). This is, of course, just an approximate figure and does not indicate how many may be vulnerable.
Figure 1 – Shodan – port:3389 “Remote Desktop Protocol”
7 Questions to Cut Through the Hype
There is always a lot of hype about certain vulnerabilities – especially the branded ones. Of course, fancy websites and logos do not always mean that the research behind them is not fascinating, there certainly have been a few branded vulnerabilities that have deserved the hype. The issue comes when people start to become numb to the announcements and, as a result, become less reactive.
I fully agree we should be cautious before getting our system and infrastructure administrators in from their holidays or out of their beds at 2am. We must be careful and make sure we look at all the elements and how it may affect your organization, before blowing the horn three times.
When assessing the risk of any vulnerabilities, you need to think about:
- How could it impact your organization?
- Are there exploits available?
- Are there likely exploits in development or being sold?
- If an exploit appears on GitHub tomorrow, how could it be used to target you?
- Do you have services exposed to the internet that the vulnerability affects?
- Do you have access controls internally and even externally that may mitigate the risk?
- Do you have automatic updates in place, and confirmed to be deploying correctly recently?
Continue reading to see how to Reduce Risks and Increase Attacker Costs here
Source: Digital Shadows