DHS Is Latest to Warn of BlueKeep VulnerabilityAgency Says It Tested Remote Code Execution Exploit
The U.S. Department of Homeland Security has tested a remote code execution exploit using the so-called BlueKeep vulnerability found in older versions of Microsoft Windows, prompting it to warn that IT and security teams should immediately patch devices running these operating systems.
DHS’s Cybersecurity and Infrastructure Security Agency issued the warning Monday based on its testing, adding that the vulnerability can also affect unpatched versions of Windows 2000, and not just Windows XP, Windows 7, Windows 2003 and Windows Server 2008, as originally reported.
In recent weeks, Microsoft has issued a security patch plus two warnings concerning BlueKeep, a vulnerability in the company's Remote Desktop Protocol service that could enable attackers to use a worm-like exploit to take over devices running unpatched older Windows operating systems (see: Microsoft Sounds Second Alarm Over BlueKeep Vulnerability).
Newer versions of the operating system, including Windows 8 and Windows 10, are not affected.
Customers using older versions of Windows, especially one as old as Windows 2000, should apply the patches the company provides or simply upgrade to a newer operation system, a Microsoft spokesperson tells Information Security Media Group.
"We released an update to address this on May 14, 2019, and recommend customers using older operating systems update to the latest version of Windows or apply the update as soon as possible," the spokesperson says.
Remote Code Execution
Since Microsoft issued its first warning on May 14 about BlueKeep, which is designated CVE-2019-0708, several security companies and independent researchers have acknowledged that they have developed proof-of-concept exploits using the vulnerability (see: Researcher Posts Demo of BlueKeep Exploit of Windows Device).
So far, none of these exploits have been published, because there could be as many as 1 million vulnerable Windows devices throughout the world.
What makes the DHS warning unique is that researchers demonstrated a remote code execution exploit, meaning that an attacker could deliver malware to an affected PC or server. In that case, the BlueKeep vulnerability would open the door to an attack reminiscent of the WannaCry and NotPetya ransomware incidents of 2017.
Because the BlueKeep vulnerability does not require user interaction, an exploit could spread malware from one vulnerable device to another within a network in the same way that the WannaCry ransomware was "wormable."
With this in mind, some researchers have compared BlueKeep to EternalBlue, the vulnerability that opened the door to WannaCry two years ago.
"After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs," according to the new DHS warning. "This exploit, which requires no user interaction, must occur before authentication to be successful."
While it's not clear how many systems could still be running Windows 2000, the fact that Homeland Security researchers found the flaw in that version of Windows prompted some security researchers to warn about the expanding vulnerability.
On a serious note, the Server 2000 RDP stack is very similar to XP. It contains all the components necessary to exploit BlueKeep, and there's no patch available. Windows 2000 is fine though, because only the Server edition comes with terminal server.— MalwareTech (@MalwareTechBlog) June 17, 2019
Warning to Patch
This week's DHS alert is the fourth warning about BlueKeep, which indicates that government agencies and private businesses are growing more concerned that attackers are looking to exploit this particular vulnerability.
In addition to the two alerts from Microsoft and the DHS warning, the U.S. National Security Agency also took the unusual step of alerting the public. In addition to patching, other steps businesses can take to keep their networks safe, the government agencies say, include:
- Block TCP Port 3389 at the firewall, because the port is used by the Remote Desktop Protocol and attackers could use an open port to establish a connection to the network;
- Enable network-level authentication because an attacker would need valid credentials to perform remote code authentication;
- Disable Remote Desktop Services if these tools are not being used.