Endpoint Security , Governance & Risk Management , Open XDR

DHS Is Latest to Warn of BlueKeep Vulnerability

Agency Says It Tested Remote Code Execution Exploit
DHS Is Latest to Warn of BlueKeep Vulnerability

The U.S. Department of Homeland Security has tested a remote code execution exploit using the so-called BlueKeep vulnerability found in older versions of Microsoft Windows, prompting it to warn that IT and security teams should immediately patch devices running these operating systems.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

DHS’s Cybersecurity and Infrastructure Security Agency issued the warning Monday based on its testing, adding that the vulnerability can also affect unpatched versions of Windows 2000, and not just Windows XP, Windows 7, Windows 2003 and Windows Server 2008, as originally reported.

In recent weeks, Microsoft has issued a security patch plus two warnings concerning BlueKeep, a vulnerability in the company's Remote Desktop Protocol service that could enable attackers to use a worm-like exploit to take over devices running unpatched older Windows operating systems (see: Microsoft Sounds Second Alarm Over BlueKeep Vulnerability).

Newer versions of the operating system, including Windows 8 and Windows 10, are not affected.

Customers using older versions of Windows, especially one as old as Windows 2000, should apply the patches the company provides or simply upgrade to a newer operation system, a Microsoft spokesperson tells Information Security Media Group.

"We released an update to address this on May 14, 2019, and recommend customers using older operating systems update to the latest version of Windows or apply the update as soon as possible," the spokesperson says.

Remote Code Execution

Since Microsoft issued its first warning on May 14 about BlueKeep, which is designated CVE-2019-0708, several security companies and independent researchers have acknowledged that they have developed proof-of-concept exploits using the vulnerability (see: Researcher Posts Demo of BlueKeep Exploit of Windows Device).

So far, none of these exploits have been published, because there could be as many as 1 million vulnerable Windows devices throughout the world.

What makes the DHS warning unique is that researchers demonstrated a remote code execution exploit, meaning that an attacker could deliver malware to an affected PC or server. In that case, the BlueKeep vulnerability would open the door to an attack reminiscent of the WannaCry and NotPetya ransomware incidents of 2017.

Because the BlueKeep vulnerability does not require user interaction, an exploit could spread malware from one vulnerable device to another within a network in the same way that the WannaCry ransomware was "wormable."

With this in mind, some researchers have compared BlueKeep to EternalBlue, the vulnerability that opened the door to WannaCry two years ago.

"After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs," according to the new DHS warning. "This exploit, which requires no user interaction, must occur before authentication to be successful."

While it's not clear how many systems could still be running Windows 2000, the fact that Homeland Security researchers found the flaw in that version of Windows prompted some security researchers to warn about the expanding vulnerability.

Warning to Patch

This week's DHS alert is the fourth warning about BlueKeep, which indicates that government agencies and private businesses are growing more concerned that attackers are looking to exploit this particular vulnerability.

In addition to the two alerts from Microsoft and the DHS warning, the U.S. National Security Agency also took the unusual step of alerting the public. In addition to patching, other steps businesses can take to keep their networks safe, the government agencies say, include:

  • Block TCP Port 3389 at the firewall, because the port is used by the Remote Desktop Protocol and attackers could use an open port to establish a connection to the network;
  • Enable network-level authentication because an attacker would need valid credentials to perform remote code authentication;
  • Disable Remote Desktop Services if these tools are not being used.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.