US CERT BlueKeep warning: we got remote code execution

The Cybersecurity and Infrastructure Security Agency (CISA), formerly US CERT, has released an alert about the 'BlueKeep' Remote Desktop Protocol (RDP) flaw. The alert follows warnings from Microsoft and the NSA to patch the bug that was discovered by the UK’s National Cyber Security Centre. 

CISA is the latest organization to raise an alarm about BlueKeep, which Microsoft believes could become a threat on the scale of the WannaCry outbreak in mid-2017, largely because BlueKeep is similarly ‘wormable’, meaning it can spread automatically from one vulnerable machine to another. WannaCry’s worm capability came from a leaked NSA exploit known as EternalBlue.  

Since Microsoft’s May patch for CVE-2019-0708, aka BlueKeep, and its warning to patch urgently, the NSA, and the Australian Cyber Security Centre have also urged organizations to patch the bug. NCSC, which sits under UK spy agency GCHQ, has also issued warnings to patch this bug. 

The NSA’s warning followed research by security expert Robert Graham who estimated more than a million Windows PCs were still vulnerable to BlueKeep two weeks after Microsoft released the patch. 

Security firm Bitsight ran a scan of its own for BlueKeep a month after Microsoft's patch and found that China had the highest number of vulnerable machines, totaling over 300,000 machines. Less than half of vulnerable machines in China had been patched. In the US, the patching rate exceeded 75 percent but that still left around 100,000 machines vulnerable to a BlueKeep exploit. Patching rates were on par or better than the US in much of Europe, though these accounted for far fewer systems. 

As UK security expert Kevin Beaumont noted recently, there still isn’t a public remote code execution exploit for BlueKeep, but given several proof-of-concept exploits by security researchers who have opted not to publish — because of the dangers it would create — there is a good chance that less scrupulous hackers could release a reliable exploit publicly, or that malicious actors develop one privately and begin using it for their own gain. 

Either outcome could create BlueKeep worldwide mayhem on the scale of WannaCry, which damaged around 300,000 vulnerable Windows PCs that hadn’t been patched with Microsoft’s fix for EternalBlue. 

CISA’s alert is more evidence that cybercriminals or state-backed hackers could likely weaponize BlueKeep. CISA issued its BlueKeep alert after successfully attacking the flaw on a Windows 2000 PC, however it hadn't tested other confirmed vulnerable versions of Windows, which include all versions through to Windows 2008. 

“CISA tested BlueKeep against a Windows 2000 machine and achieved remote code execution,” it says. “Windows OS versions prior to Windows 8 that are not mentioned in this Activity Alert may also be affected; however, CISA has not tested these systems.”

A common recommendation and one that CISA reiterates is to enable Network Level Authentication (NLA). Systems with NLA were not vulnerable to BlueKeep, even before Microsoft’s patch.     

CISA also obviously recommends admins install Microsoft’s patches, including on unsupported systems that Microsoft released special patches for, such as Windows XP, Windows Vista, and Windows Server 2003.

Other recommendations include upgrading from end-of-life operating systems and to block TCP port 3389, which is used to start an RDP session, at the firewall.