Bekker's Blog

Blog archive

Concern Mounts About 'BlueKeep' Windows RDP Flaw

The Cybersecurity and Infrastructure Security Agency (CISA), the lead U.S. government unit on civilian cybersecurity, has joined the chorus of warnings about the "BlueKeep" Windows security vulnerability.

BlueKeep refers to a critical vulnerability in the implementation of the Remote Desktop Protocol (RDP) used by several older Windows operating systems, including Windows 2000, Windows XP, Windows Vista, Windows 7, Windows Server 2003 and Windows Server 2008. BlueKeep's Common Vulnerabilities and Exposures (CVE) identifier is CVE-2019-0708.

Microsoft disclosed the vulnerability in mid-May and took the extraordinary step of providing patches for some of the involved operating systems that have fallen out of support -- Windows XP, Windows Vista and Windows Server 2003.

Because the vulnerability is pre-authentication and requires no user interaction, Microsoft at the time warned, "The vulnerability is 'wormable', meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017."

In an end-of-May blog post, the Microsoft Security Response Center repeated its warnings about the BlueKeep vulnerability in no uncertain terms. "It's been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we're out of the woods ... It is possible that we won't see this vulnerability incorporated into malware. But that's not the way to bet."

Earlier this month, the U.S. National Security Agency (NSA) issued a public warning of its own urging Windows administrators to apply the patch and update their systems. In the June 4 statement, the NSA wrote, "Although Microsoft has issued a patch, potentially millions of machines are still vulnerable."

Now comes the CISA warning, which also urges users and administrators to review Microsoft's advisory and "apply the appropriate mitigation measures as soon as possible." In addition to enumerating the previous concerns about the vulnerability -- such as a successful attacker's ability to add accounts with full user rights; view, change or delete data; or install programs -- CISA goes further with a discussion of its own tests.

"CISA tested BlueKeep against a Windows 2000 machine and achieved remote code execution. Windows OS versions prior to Windows 8 that are not mentioned in this Activity Alert may also be affected; however, CISA has not tested these systems," the alert states.

Attila Tomaschek, data privacy advocate at ProPrivacy.com, said the CISA warning should not be taken lightly, in part because of the agency's test. "The fact that CISA revealed that it was able to exploit BlueKeep to execute code remotely on a computer running Windows 2000 suggests that it is only a matter of time before malicious attackers are able to do the same," Tomaschek said in an e-mailed statement.

Tomaschek suggested that the CISA's critical warning indicates that authorities believe the threat of a malicious exploit with the capability to infect large numbers of vulnerable devices is imminent. "Organizations and individuals using vulnerable Windows operating systems should take heed and install Microsoft's security updates to patch the vulnerability and insulate themselves from an attack that could potentially take over their systems and compromise hordes of sensitive data," he said.

Posted by Scott Bekker on June 19, 2019


Featured