Immunity, a cybersecurity contracting company based out of Miami, Florida has announced a working exploit for the dreaded BlueKeep vulnerability. But you don't have to panic.
What is BlueKeep?
BlueKeep (or CVE-2019-0708) is a security vulnerability that could potentially allow attackers to compromise remote desktop protocols in order to take control of end-points remotely.
According to Microsoft, an attacker who successfully exploits this vulnerability could execute arbitrary code on the target system, installing programs, viewing, changing or deleting data and have the ability to create new user accounts with full administrative rights.
BlueKeep is considered "wormable" because malware exploiting this vulnerability could propagate across a network.
What systems are affected?
The Cybersecurity and Infrastructure Security Agency (CISA) says the following systems are affected by BlueKeep:
- Windows 2000
- Windows Vista
- Windows XP
- Windows 7
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2008
- Windows Server 2008 R2
What can you do to protect yourself?
Patch, patch, patch. Microsoft has released multiple patches that address this security issue, including patches for operating systems they otherwise no longer support (Windows XP and Windows Server 2003 for example).
If you haven't implement the patches yet we highly recommend you do.
What steps can you take to mitigate BlueKeeps impact beyond patching?
The CISA recommends you:
- Upgrade end-of life OSs - Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10.
- Disable unnecessary services - Disable services not being used by the OS. This best practice limits exposure to vulnerabilities.
- Enable Network Level Authentication - Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. Doing so forces a session request to be authenticated and effectively mitigates against BlueKeep, as exploit of the vulnerability requires an unauthenticated session.
- Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall -Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network.
However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.
Are there any known BlueKeep exploits beyond Immunity's?
Publicly, no. There aren't. Are there private exploits out in the wild? Probably. Hackers and rogue developers aren widely known for soliciting their exploits before using them in an attack.
Should you be worried about Immunity's BlueKeep exploit?
No, probably not. The chances of the code leaking to the dark web or something are slim. Considering their business practices and their customer base it just doesn't look likely.
Can Security7 Networks help us patch, update, or manage your systems?
Absolutely. If you're an existing customer you just have to ask your Security7 technical support agent for assistance.
Like our blog? Subscribe using the CTA in the upper right hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.