An Overview of BlueKeep (CVE-2019-0708)

In early May of 2019, Microsoft reported that a new security vulnerability had been discovered and could be a tremendous threat to their users. The bug was originally detected by the United Kingdom’s National Cyber Security Centre. Officially tracked “CVE-2019-0708”, but referred to as “BlueKeep”, this exploit is a remote code execution vulnerability that is present in Remote Desktop Services. BlueKeep exists in several Microsoft Windows Operating Systems, including Windows 2000, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2. Also note that this includes the 32-bit, 64-bit, and all Service Pack versions.

The severity of BlueKeep is critical because it can be used to remotely execute commands without any user interaction required. If a cyber-criminal sends specially crafted packets to a system with Remote Desktop Services enabled, they would then have the means to accomplish multiple actions within the affected system/systems, such as adding accounts with full privileges, installing programs, and viewing, editing, or deleting data. BlueKeep’s exploits must also transpire before authentication has been achieved to be successful. The criticality of this vulnerability is further attributed to it’s “wormable” nature, meaning a system that is infected with malware could possibly be used to spread said malware unto other systems on the same network, and at an alarming rate. Machines in an Active Directory domain can be affected even if they do not possess the BlueKeep vulnerability; it takes only one machine to infect the others.  Research has stated that there are as many as a million devices vulnerable to BlueKeep, which is most likely determined by the number of companies using outdated software.

To mitigate the risk of BlueKeep being exploited, Microsoft and the NSA have strongly recommended that users install recently available patches for the susceptible operating systems. It would also be wise to upgrade the end-of-life operating systems to newer, more secure versions for systems without patches or systems that cannot be patched. A best practice to limit exposure to vulnerabilities is to disable unnecessary services not being used. Enabling Network Level Authentication will force a session request to be authenticated and effectively prevents attack on the BlueKeep vulnerable systems, because the exploit requires an unauthenticated session. Blocking the Transmission Control Protocol port 3389 at the enterprise perimeter firewall would prevent cyber criminals from gaining access to systems from outside of the network, however, this will also block validated Remote Desktop Protocol sessions and might not prevent unauthenticated sessions from being exploited inside of a network.

The sooner users/companies patch and/or update their systems the better, in view of the fact that BlueKeep has the potential to be extremely volatile for sensitive data. It is only a matter of time before cyber criminals perfect their ability to take advantage of BlueKeep and inflict serious damage. A “thank you” is indeed in order to the specialists at the UK NCSC, NSA, and Microsoft who discovered and helped provide solutions to mitigate the threat of BlueKeep.

Need additional information or support?  Contact Silent Sector for a complementary consultation.

About the Author

Written by Antonio Chavez