It has been nine days since Microsoft patched the high-severity vulnerability known as BlueKeep, and yet the dire advisories about its potential to sow worldwide disruptions keep coming.
Until recently, there was little independent corroboration that exploits could spread virally from computer to computer in a way not seen since theWannaCryand NotPetya worms shut down computers worldwide in 2017. Some researchers felt Microsoft has been unusually tight-lipped with partners about this vulnerability, possibly out of concern that any details, despite everyone’s best efforts, might hasten the spread of working exploit code.Until recently, researchers had to take Microsoft's word the vulnerability was severe. Then five researchers from security firm McAfee reported last Tuesday that they were able to exploit the vulnerability and gain remote code execution without any end-user interaction. The post affirmed that CVE-2019-0708, as the vulnerability is indexed, is every bit as critical as Microsoft said it was.
“There is a gray area to responsible disclosure,” the researchers wrote. “With our investigation we can confirm that the exploit is working and that it is possible to remotely execute code on a vulnerable system without authentication."
Only a matter of time
Wednesday saw two more posts about BlueKeep. One from security firm ESET was succinctly headlined, "Patch now! Why the BlueKeep vulnerability is a big deal." In it, ESET Security Evangelist Ondrej Kubovič wrote: “Right now, it is only a matter of time until someone publishes a working exploit or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and also a lucrative asset for its originator.”
The vulnerability resides in Microsoft’s proprietary Remote Desktop Protocol, which provides a graphical interface for connecting to another computer over the Internet. Exploiting the vulnerability—which is present in older versions of Windows but not the much better secured Windows 8 and 10—requires only that an attacker send specific packets to a vulnerable RDP-enabled computer. In a testament to the severity, Microsoft took the highly unusual step of issuing patches for Windows 2003, XP, and Vista, which haven’t been supported in four, five, and seven years, respectively.
In a separate post published Wednesday, security organization SANS continued the drum beat of dire warnings.
“Being vulnerable exposes two fundamental weaknesses in your network: You are still running Windows 7 (or XP??), and you are exposing RDP,” SANS Dean of Research Johannes B. Ullrich wrote. “Neither is good, and both issues need to be addressed. With this focus on RDP, there is a good chance that additional vulnerabilities will be found in the next few months. If this is true, then fire drills will continue until you can get these two issues resolved.”
Starting in May 2017, WannaCry and another worm calledNotPetyathat spread a month later shut down computers around the world, leading to hospitals turning away patients, train stations not functioning normally, and international shippers suffering major disruptions.A key to both worms’ spread was the exploitation of a vulnerability in older versions of Windows. Attackers had a head start in exploiting the flaws. A month after Microsoft quietly patched the holes, highly reliable exploit code developed by and later stolen from the National Security Agency was published by a still-unknown group calling itself the Shadow Brokers. Almost immediately afterward, the so-called "Eternal Blue" code was repurposed in real-world attacks.
About the only thing keeping BlueKeep from being used for similar real-word attacks right now is the lack of reliable exploit code—and that is likely to change.
“It does appear non-trivial to develop a reliable remote code execution exploit for this vulnerability, which will hopefully get us a few more days until one is publicly available,” SANS’ Ullrich wrote. “However, exploit development is active, and I don't think you have more than a week.”
Craig Dods, a senior engineer at network equipment provider Juniper, said Microsoft partners have scrambled to develop defenses even as Microsoft declined to provide as many technical details as they would have liked. In a message, he wrote:
"I'm sure there are non-zero risks associated with sharing technical details with security partners,” he wrote. “It's possible that information could leak out in some form or fashion, reducing the amount of time customers have to patch. But on the flip-side, having security vendors be left in the dark is also not a great solution. We're left collectively scrambling to reverse a set of patches, effectively in a race against people who are going to take advantage of it for monetary or political gain."
The concern, Dods and other security experts said, is compounded by the use of vulnerable versions of Windows in some of the most mission-critical of environments. They include hospitals, factories, and other industrial settings, where patching is complicated by governmental compliance requirements or 24/7 operating schedules.
“It's going to be a massive issue, particularly for ICS-style networks, for years to come,” Dods said, referring to industrial control systems.
He warned that the vulnerability might in some cases be exploited even when affected RDP services are secured with Network Level Authentication, which requires a machine to provide a password before connecting to another computer. In the event attackers obtained the credentials—as often happens during days or weeks of network surveillance preceding ransomware attacks—vulnerable RDP services exposed to the Internet would be wide open.
Seriously—patch now
All of the posts stress that the most effective protection is for vulnerable systems to receive the patch Microsoft issued earlier this month. Disabling RDP can also be effective. When RDP is required, it should be enabled only on machines that truly need it and available only over local networks or with the use of a robust virtual private network. Intrusion detection signatures from NCC Group and Snort rules from Cisco for this vulnerability are available here and here, respectively. Ullrich has provided exploit packet captures here.
While the remedies may be difficult and costly for many organizations to implement, consensus is emerging that the consequences of taking no action could easily be much worse. One of the early warnings came five days ago when a security researcher took to Twitter to issue a blunt assessment of the destruction that’s possible.
“I get the CVE-2019-0708 exploit working with my own programmed POC (a very real dangerous POC),” the researcher wrote. “This exploit is very dangerous. For this reason i don´t will said TO ANYBODY OR ANY ENTERPRISE nothing about it. You are free of believe me or not,i dont cared [sic].”