Pierluigi Paganini June 05, 2019

The National Security Agency (NSA) is urging Windows users and administrators to install security updates to address BlueKeep flaw (aka CVE-2019-0708).

Last week Microsoft issued a second security advisory to warn users of older Windows OS versions to update their systems in order to patch the remote code execution vulnerability dubbed BlueKeep.

Now the National Security Agency (NSA) is also urging Windows users and administrators to install security updates to address BlueKeep flaw (aka CVE-2019-0708).

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Many security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

Security experts believe it is a matter of time before threat actors will start exploiting it in the wild. A few hours ago, the esecurity researcher Zǝɹosum0x0 announced to have has developed a module for the popular Metasploit penetration testing framework to exploit the critical BlueKeep flaw.

The Metasploit module could be used to trigger the BlueKeep flaw on vulnerable Windows XP, 7, and Server 2008, but the expert has not publicly disclosed it to avoid threat actors abusing it.

The National Security Agency is urging Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of growing threats. Recent warnings by Microsoft stressed the importance of installing patches to address a protocol vulnerability in older versions of Windows ” reads the NSA’s advisory.

“This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation code is widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.

NSA urges everyone to invest the time and resources to know your network and run supported operating systems with the latest patches.”

In addition to installing the patches from Microsoft, Windows users can mitigate attacks:

• Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
• Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
• Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.

Pierluigi Paganini

(SecurityAffairs – BlueKeep, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]