Apply the BlueKeep Patch Now

I’m writing to let you know about a critical Windows security patch that should be deployed to affected systems ASAP.

The BlueKeep vulnerability (CVE-2019-0708) is a remotely exploitable flaw in the Remote Desktop Protocol (RDP) Services on older versions of Windows including:

• Windows Server 2008 R2
• Windows 7
• Windows Server 2008
• Windows Vista
• Windows Server 2003
• Windows XP

Both Microsoft and the NSA have stressed the importance of deploying the following patches Microsoft released on May 14th:

• Windows XP / Windows Server 2003 – Security Patch KB4500331
• Windows Vista / Windows Server 2008 – Security Patch KB4499180 OR Monthly Rollup KB4499149
• Windows 7 / Windows Server 2008 R2 – Security PatchKB4499175 OR Monthly Rollup KB4499164

You know the vulnerability is severe when Microsoft decides to patch to end-of-life versions of Windows like XP that are technically no longer supported by Microsoft.

Microsoft likened the BlueKeep vulnerability to EternalBlue, the exploit utilized by WannaCry and NotPetya ransomware which in 2017 quickly spread and infected hundreds of thousands of computers and caused massive financial damage.

Having personally used the EternalBlue exploit on many penetration tests to compromise Windows servers, the comparisons of BlueKeep to EternalBlue greatly concern me. It is only a matter of time before BlueKeep exploits become widely available.

In the case of WannaCry, the initial outbreak occurred around 60 days after the patch was released by Microsoft in 2017. As of today, we are 22 days out from the Microsoft patch release for BlueKeep. You need to have a process in place to expedite highly critical patches such as the BlueKeep patch.

Other precautions you should evaluate include:

1. Block TCP port 3389 at your perimeter firewall which is the port used by Remote Desktop Protocol (RDP)
2. Disable Remote Desktop Services across your network if not needed
3. If you do need Remote Desktop Services, enable Network Level Authentication and configure RDP servers to require Network Level Authentication.

It only takes one vulnerable system to put your entire network at risk. Ensure you have an accurate inventory of systems and Internet-exposed services. Too often breaches occur due to a forgotten server that is not in the routine patch management cycle or by a misconfigured firewall that exposes an unknown RDP service. This would be a good time to perform an external network discovery map to ensure there aren’t any forgotten servers or services connected to your network.

You can use the “rdp-enum-encryption” nmap script to identify open RDP servers on your network and to identify if Network Level Authentication is enforced. Here’s how you would run that script:

nmap -p 3389 –script rdp-enum-encryption {target specification}

If you have any questions or need any assistance, please feel free to reach out to me directly.

To your success,
Geoff