On May 14, 2019, Microsoft releases a patch for a critical and wormable RDP vulnerability dubbed as, Bluekeep.
The security vulnerability was the first detected by the UK National Cyber Security Centre.
However, later Microsoft as-well-as U.S. National Security Agency recognized its potential as a critical self-propagating worm.
The CVSS (Common Vulnerability Scoring System) gave it a rating of 9.8 out of 10.
Therefore, it is similar to threats like Not Petya and WannaCry.
Soon the National Security Agency issued warnings regarding Bluekeep Vulnerability
Finally, they start urging Microsoft Windows administrators and users to use only the patched versions of Microsoft Windows.
What is Bluekeep?
Bluekeep is a “wormable” remote code execution vulnerability discovered in Microsoft’s Remote Desktop Protocol.
Its implementation, allowing the possibility of remote code execution and remote-control administration.
However, it has been found officially, that the vulnerability is CVE-2019-0708
The Remote Desktop Protocol (RDP) provides a user with an interface to connect to another computer over a network.
RDP 5.1 defines 32 virtual channels.
Each virtual channel, in turn, contains “dynamic” virtual channels.
The RDP protocol utilizes pre-authenticated, ‘virtual channels’ between client and server as a data pathway for providing extensions.
When a server binds with the virtual channel that the user has no reason to connect to along with a static channel other than 31.
A heap corruption occurs permitting arbitrary code execution at the system level.
The wormable demeanor of Bluekeep helps it spread through the network to other systems.
The Bluekeep vulnerability is present in all unpatched Windows NT-based versions of Microsoft Windows
Affected Windows: Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2.
No active malware of the vulnerability known to the public until June 2019.
But soon undisclosed proof of concept (POC) codes exploiting the vulnerability was rumored to be available.
By the end of July, several instances of malicious RDP activity and warning were reported by experts.
On 13 August 2019, all the related Blue Keep security vulnerabilities were collectively named Deja Blue.
Why Bluekeep Is Dangerous
Bluekeep allows malicious individuals like hackers to run codes for different malware, ransomware, etc, on a computer.
Although Microsoft has issued a patch for Bluekeep potentially millions of machines around the world are still vulnerable.
Since it requires no interactions with the user like password the hackers are free to utilize your computer’s RDP as per their wises.
When the vulnerability targets and successfully affects any Windows version.
It presents a significant risk to other computers as well over a network connection.
The attackers may use this vulnerability to deliver highly damaging payloads.
The Microsoft Patch For Bluekeep Vulnerability
Noting the severity and criticalness of the vulnerability Microsoft released an out-of-band patch update for Bluekeep.
This remote code execution vulnerability resides in the code to RDS.
Since the vulnerability pre-authenticates and require no user interaction.
It was deemed to be highly potent for weaponization to be wormable and destructive exploitation.
Microsoft Security Intelligence, a global network of security experts.
Warned that every system that has not patched and is online can become a victim of a possible mass cybersecurity attack.
Users running Windows 8 or 10 are secure from Bluekeep attacks.
Therefore, the best advice is to keep the operating system secure from future threats by applying the latest patches.
What can we do to protect our system from Bluekeep vulnerability?
- Patch your system as soon as possible and update your Windows.
- Disable RDP on non-sensitive systems.
- Disabling Remote Desktop Services and other such unused and unneeded services help reduce exposure to security vulnerabilities of all types.
- Monitor incoming RDP connections for any attempts to write a custom channel with the name MS_T120.
- Block TCP port 3389 at the firewalls since the port uses the RDP protocol and the block will not allow any attempts to establish a connection.
- Enable Network Level Authentication on your system thus requiring valid credentials to perform remote code authentication.
Applying the Windows security patch
Windows users of the out-of-support version of the operating system (other than Windows 8 or 10)
Anyone can download and apply the software patch to address the Blue Keep vulnerability.
Therefore, they can also upgrade their Windows to automatically get the latest versions of the operating system.
Users can find downloads for different versions in the Microsoft Security Response Center.
Microsoft is currently planning to provide patches for older versions of Windows.
Microsoft and other security agencies have urged users to invest time and resources to use only the latest operating systems with the latest patches.
The vulnerability is highly dangerous for not only for large organizations but also for personal users on all networks.
It is only a matter of time before the remote exploitation codes for this vulnerability will be widely available.
Hence, it is necessary to be alert and update against the Bluekeep Vulnerability.
So, download the patch from the above link and protect your devices.