News

U.S. National Security Agency Issues Advisory on 'BlueKeep' Windows RDS Flaw

• By Kurt Mackie
• 06/04/2019

• Related: CISA Rings a BlueKeep Alarm

The U.S. National Security Agency (NSA) issued an advisory on Tuesday urging individuals and organizations to install Microsoft's May security patches.

The agency, which conducts electronic surveillance, cited Microsoft's May 14 warning about a "wormable" software vulnerability (CVE-2019-0708) in Microsoft's Remote Desktop Services (RDS). Security researchers have given this vulnerability the nickname "BlueKeep." The NSA suggested that it's "likely only a matter of time before remote exploitation code is widely available" to attackers.

The vulnerability could enable remote code execution attacks on older Windows systems, including Windows 7, Windows Server 2008 and Windows Server 2008 R2. Microsoft also issued patches for unsupported Windows XP and Windows 2003 systems, which can be downloaded from Microsoft support article KB4500705.

So far, researchers testing exploits for CVE-2019-0708 have managed to elicit blue screen lockups on systems, according to a Twitter summary compiled by security researcher Kevin Beaumont. However, he noted that McAfee was able to execute code remotely on a system in a proof-of-concept demonstration.

Microsoft's May patches provide protection against potential exploits, which haven't been described as being in the hands of attackers as yet. However, other measures also can be taken, as described by the NSA, echoing Microsoft's advice. For instance, it's possible to disable RDS, used for remote device network connections, if it's not needed. Also, Network Level Authentication can be turned on, which will block unauthenticated attackers. It's also possible to block the system's TCP port 3389 at the firewall, which is used by the Remote Desktop Protocol (RDP).

However, blocking TCP port 3389 doesn't prevent internal attacks, per Microsoft's security bulletin description:

Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.

Worms and Irony
Without irony, the NSA described wormable software vulnerabilities, like CVE-2019-0708, as being particularly dire:

Microsoft has warned that this flaw is potentially "wormable," meaning it could spread without user interaction across the internet. We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw.

The NSA's advisory didn't elaborate, but CVE-2019-0708 has been compared as being potentially damaging as "WannaCry," a piece of wormable wiper malware, disguised as ransomware, that destroyed data on computers around the world. WannaCry used the leaked NSA attack tool called "EternalBlue," which had exploited a Windows Server Message Block 1 vulnerability.

A recent New York Times article noted that the city of Baltimore has been dealing with an EternalBlue-based ransomware attack over the past three weeks, disabling thousands of the city's computers. The attackers did so, ironically, using EternalBlue, which was "developed at taxpayer expense a short drive down the Baltimore-Washington Parkway at the National Security Agency, according to security experts briefed on the case," the Times story noted.

Update 7/27: An undated FAQ published by city of Baltimore debunked the New York Times story, stating that "the independent forensic investigators assisting us in investigating this incident have found no evidence that EternalBlue was involved in the ransomware attack."

RDP Locked PC Flaw
In related Windows security news, the U.S. Computer Emergency Readiness Team (CERT) issued a vulnerability note on Tuesday regarding a security issue associated with using RDP. There's a possible security bypass that can occur when a user locks the PC's screen, perhaps because they have temporarily suspended an RDP session. If a "network anomaly" gets triggered, then "upon automatic reconnection the RDP session will be restored to an unlocked state," the U.S. CERT vulnerability note explained.

This vulnerability is associated with Windows 10 version 1803 and newer client operating systems, as well as Windows Server 2019. It even affects systems that have two-factor authentication protections in place, such as systems using Duo Security.

There's no available solution for this vulnerability, but U.S. CERT advises end users to "be sure to lock the local system as opposed to the remote system" as a security precaution. Alternatively, users can just disconnect their RDP sessions when done rather than locking the system.

Will Dormann, a vulnerability analyst with CERT/CC who wrote the vulnerability note, noted in a Twitter post that Microsoft isn't planning to provide a software fix for this issue.

"Microsoft doesn't plan to change this behavior, so do not use the "Lock" feature over RDP," Dormann wrote. "Log out when done or away!"