In the past few weeks a highly dangerous vulnerability has been made public in older (and largely unsupported or near end of support) versions of Windows, namely:
- Windows Server 2008
- Windows 7 Pro
- Windows 2003
- Windows XP Pro.
This is being named ‘BlueKeep’ and has been proven to be remotely exploitable without any authentication. There are currently estimated to be around 1 million such machines vulnerable to this exploit accessible via the internet. This figure could be a lot higher when you take into account vulnerable machines hidden behind a Local Area Network. If malware gets into such a network, it could also exploit this bug and reek havoc.
By all accounts I have read so far this exploit is not difficult to weaponize in malware. The fear is that in a very short time a weaponised version of this will appear from hackers. Having this many exposed/unpatched machines could give rise to a cyber attack event that makes WannaCry and notPetya from 2017 seem trivial.
The immediate mitigation is to install the patches provided by Microsoft on the May 2019 Patch Tuesday urgently.
Windows XP Home and Windows 7 Home variants are not vulnerable. At the moment all variants of Windows 8 and Windows 10, and later versions of Windows Server, appear at this stage not to be vulnerable. However that can always change so best to keep an eye on this.
If you want to get a more technical overview I suggest you look at the very good weekly Security Now podcast from Steve Gibson on the TWiT network at https://youtu.be/oTKdJUNUkJw?t=4497. His show notes also provide a lot of links to technical details. There is also ample material spread across various online publications. I will focus instead on awareness and how to mitigate the threat.
A Bit of Background
This affects a feature of Windows (whether it be a desktop or a server variant) called ‘Remote Desktop Protocol’ (RDP). What this does is allows a user to initiate a connection to a remotely accessible PC/Server via a network that allows the user to interact with the remote machine as if it was local. This feature actually displays the Windows desktop as if you were directly logged into the machine locally. This is a very useful feature as it allows someone to manage servers and PC’s remotely and is a feature actively used by system administrators in just about every kind or organisation. It is also used to access desktop PC’s via corporate VPN’s which means the user does not need an expensive company supported laptop to work remotely – they can just login via their home PC.
If you are a consumer running Windows 7 Home or Windows XP Home (and at this stage if you are a company you need to really ask yourself why) you will not be vulnerable to this since it is not possible to enable RDP on these machines. If you are also running a version of Windows Home Server 2011 (which is based on Windows Server 2008 R2), this in all likelihood is vulnerable and has been out of support for a number of years (only an issue for consumers since companies would not use this variant).
However in the Windows 7/XP Pro and Enterprise variants RDP can be enabled and if you have a machine with one of these OS’s you need to patch your systems ASAP. In most cases the patch comes though Windows Update, and for corporates your IT department should be managing this.
However, if you enable “Network Level Authentication” (NLA) when you enable the Remote Desktop feature, this appears to be a defence against this bug and should always be enabled by default if you are going to use this feature. However, still patch your system.
This exploit is wormable, which basically means that a weaponised version of the exploit as malware can be spread directly over a network without infecting files on the system (similar to notPetya and WannaCry). Security researchers at Zerodium, McAfee, Kaspersky, Check Point, MalwareTech, and Valthek all have confirmed that they have successfully developed exploits for BlueKeep. None of them are publishing their research at this time, but there have been cross-verifications. This also implies that it is not difficult to develop a weaponised version.
A weaponised version could also exploit other vulnerabilities to infect systems with anything from Crypto Miners to data exfiltration malware to malware capable of being highly destructive (e.g. Ransomware). So, the advice, as always, is to keep your systems patched and up to date. Also, you should never have the default RDP Port (3389) exposed to the Internet.
The problem with this particular vulnerability is that it affects unsupported systems. Windows XP has long been unsupported, Windows Server 2008 is nearing end of life and Windows 7 reaches end of support in January 2020. Anyone using these systems at this stage needs to ask themselves why they haven’t addressed this and have a plan to get onto a supported version of Windows – namely Windows 10 and server equivalents.
This vulnerability has already been added to a number of penetration testing tools, and as these tools are also used by hackers you can expect activity to detect machines that are vulnerable to this exploit to ramp up from now. This activity has already been detected, probably in preparation to initiate some form of Cyber Attack.
Other articles on this site that are related to this are as follows:
- Windows 7 Updates (Updated)
- Windows 10 Update Returns Power to the People
- The Dangers to using Unsupported Devices and Software
Headline image provided by ShutterStock