Advisory 7

TLP Rating: White

Microsoft Operating Systems BlueKeep Vulnerability

CERT Vanuatu and the Office of the Chief Information Officer (OGCIO) provides the following advisory.

This is to advise all system and network administrators, managers and business houses in Vanuatu who are using Microsoft operating systems to actively monitor and ensure the latest Microsoft security patches of BlueKeep (CVE-2019-0708) vulnerability are installed.

 BlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows Operating Systems (OSs). An attacker can exploit this vulnerability to perform remote code execution on an unprotected system. 

At this stage, the office of CERT Vanuatu (CERTVU) and OGCIO have not received any reported threat cases related to the BlueKeep vulnerability. CERT Vanuatu is reaching out to organizations, IT companies and individuals to report any suspected case. 

What Happened?

According to Microsoft, an attacker can send specially crafted packets (data) to one of these operating systems that has RDP enabled. After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs. This exploit, which requires no user interaction, must occur before authentication to be successful.

BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a manner like other known malwares such the WannaCry malware attacks of 2017 [1].

Does It Affect Organisations and Users?

The Bluekeep vulnerability exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows Operating Systems (OSs) listed below including both 32- and 64-bit versions, as well as all Service Pack versions:

  • Windows 2000
  • Windows Vista
  • Windows XP
  • Windows 7
  • Windows Server 2003
  • Windows Server 2003 R2
  • Windows Server 2008
  • Windows Server 2008 R2

Organizations and users using the mentioned OSs should follow the mitigation process outlined in the ‘Mitigation Process’ section.

Mitigation Process

  1. CERTVU encourages system and network administrators and users to review the Microsoft Security Advisory [2], [4] and Microsoft’s Customer Guidance for CVE-2019-0708 [3] and apply the applicable mitigation measures as soon as possible:

    1. Install available patches. Microsoft has released security updates to patch this vulnerability. Microsoft has also released patches for a number of Operating Systems (Oss) that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003. As always, CERTVU encourages users and administrators to test patches before installation.
    1. Best Practices Advice: For Operating Systems that do not have the published patches, and/or systems that cannot be patched, the following mitigation steps can be used to help protect against BlueKeep and reduce the likelihood of being a victim of Bluekeep:
      1. Upgrade end-of-life (EOL) Operating Systems. Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10.
      2. Disable unnecessary services. Disable services not being used by the OS. This best practice limits exposure to vulnerabilities.  
      3. Enable Network Level Authentication. Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. Doing so, forces a session request to be authenticated and effectively mitigates against BlueKeep, as exploit of the vulnerability requires an unauthenticated session.
      4. Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall. Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network. However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.

How do I Stay Safe?

Here are the general minimal tips and advice from CERT Vanuatu as precaution steps:

  1. Apply all necessary appropriate Windows security patches as outlined in this advisory document and stay up to date with the latest system versions.
  2. Report the incident to CERT Vanuatu on This email address is being protected from spambots. You need JavaScript enabled to view it.
  3. Share the advisory and precaution steps among users in your organization and communities for awareness purposes.
  4. For more information and safety and awareness tips [5], see http://cert.gov.vu/index.php/services/online-advisories-alerts

References

  1. https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20
  2. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
  3. https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708
  4. https://www.us-cert.gov/ncas/alerts/AA19-168A

https://cert.gov.vu/index.php/services/online-advisories-alerts