Note: This blog has been updated on May 17, 2019.
On May 14, Microsoft published a remote code execution vulnerability dubbed BlueKeep affecting Windows Remote Desktop Service (CVE-2019-0708). The vulnerability is rated critical by CVSS and does not require user interaction, meaning a user with a vulnerable Windows server exposed to the internet is vulnerable to direct attack.
BlueKeep affects Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows XP and Windows Server 2003; newer Windows versions are not affected.
Windows 7 and Windows 2008 R2 are still widely used, especially within operational technology (OT) environments — critical infrastructure entities and manufacturers should particularly heed warnings about this vulnerability’s risk.
BlueKeep could allow an unauthenticated remote attacker to connect to a Windows server via remote desktop protocol (RDP) and execute arbitrary code on the remote server — without any user interaction.
The vulnerability is also “wormable” in that its exploit could be used for initial access to the organizational network as well as lateral movement to spread quickly within networks.
Has BlueKeep Been Exploited?
Since the original publication of this post on May 16, 2019, multiple proof-of-concept exploits have been published. There’s even a Twitter bot tracking them, though neither distributed nor targeted attacks leveraging BlueKeep have been reported — yet.
With the POCs available, commercially viable exploits can’t be far behind. As such is the case, widespread attacks are both likely and imminent.
Due to its similarity to the vulnerabilities used in the WannaCry ransomware attack, organizations should be very concerned about BlueKeep. It’s wormable component was likely what spurred Microsoft to release patches for out-of-support versions; the last time they did that, it was for the server message block (SMB) vulnerabilities used in WannaCry. (The global ransomware outbreak just turned two on May 12 — for organizations who didn’t learn their lessons the first time, BlueKeep may soon give them a not-so-gentle reminder of the need for good cyber hygiene.)
How Skybox Can Help
Passive Vulnerability Assessment
Skybox can help by identifying platforms that have the BlueKeep vulnerability through their Microsoft System Center Configuration Manager (SCCM) patch management system (or an equivalent patch management system) even without a recent vulnerability scan.
Exposure Analysis of Vulnerability Scan Results
For BlueKeep occurrences discovered by third-party scanners, Skybox can bring valuable network context prioritize the remediation of exposed vulnerabilities.
Our attack simulations analyze network paths to highlight vulnerable assets exposed to potential threat origins, including the internet. The exposure factor is considered alongside the relative importance of the vulnerable asset (or the system to which it belongs) to make remediation priorities straightforward and focused on fast risk reduction.
While remediation of vulnerable assets directly exposed to threat origins receive the highest priority, Skybox also calculates the potential for compromise through lateral network movement, as in multi-stage attacks. Indirect exposures are also reflected in remediation priorities.
Reachability of Vulnerable Assets
To determine the exposure of assets, the Access Analyzer feature of Skybox® Network Assurance can test to see if RDP ports are accessible from the internet. Skybox’s analytic logic considers mitigating security controls such as firewalling and intrusion prevention systems (IPS) to determine which assets are exposed and which are shielded from potential attack.
This capability is important to counteract assumptions of perfectly implemented policy, as was the case with SMB ports during WannaCry as mentioned previously. By automating access analysis, customers can check that the aggregate access of the network is in compliance or spot violations and efficiently manage their remediation.
Patch Availability and Network Mitigation Options
Customers should apply the relevant Microsoft patches immediately; if patches can’t be implemented straight away, Skybox will also suggest possible mitigation strategies, often unique to each environment to protect vulnerable assets with other available technologies or methods.
TSMC WannaCry Hits OT Plants with a Hefty Price Tag: The TSMC WannaCry attack is yet another reminder in the constant vigilance of vulnerability management — and the effect it can have on your bottom line