Time to update: Bluekeep RDP vulnerability being actively exploited
2 min. read
Published on
Share this article
Improve this guide
Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more
Remote code execution attacks are already affecting Microsoft’s soon to be unsupported operating systems.
The BlueKeep exploit code (CVE-2019-0708) is a security vulnerability that was discovered in Microsoft’s Remote Desktop Protocol, which allows for the possibility of remote code execution.
Microsoft reported that the exploit code is now “widely available” for use by attackers, who are targeting older versions of the operating system.
(Attackers could gain) access to all user credentials used on the RDP system.
Windows 7, Windows Server 2008 & 2008 R2, Windows Server 2003 and older, unsupported Windows XP are at risk of the attack.
The number of vulnerable systems increased from 805,665 in late May to 788,214 in late July, according to BitSight; meaning 81% of systems still remain unpatched.
Users of Remote Desktop Services are advised to apply the patch that was issued in May, and also to protect the system’s Remote Desktop Protocol “listener”.
Today, Microsoft announced two new Bluekeep like vulnerabilities that it has patched- CVE-2019-1181 and CVE-2019-118. Unlike the earlier vulnerability, this flaw affects Windows 10 as well. Simon Pope, Director of Incident Response at the Microsoft Security Response Center (MSRC) said:
The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions.
Organisations need to enable network-level authentication (NLA) to block attackers lacking authentication credentials; but according to “telemetry” information, it’s lacking in most cases.
(There are) more than 400,000 endpoints (without) any form of network level authentication.
You also want to enable Network Level Authentication (NLA), which is a mitigation to prevent un-authenticated access to the RDP tunnel. NLA forces users to authenticate before connecting to remote systems, which dramatically decreases the chance of success for RDP-based worms. The DART team highly recommends you enable NLA regardless of this patch, as it mitigates a whole slew of other attacks against RDP.
If you’re still running Windows 7, it’s essential to install the update that’s available. The current Malware is only a taste of what’s to come once Windows 7 is no longer supported, and Microsoft is no longer delivering patches for this widely used operating system. The best patch would, therefore, be to upgrade to Windows 10, which is continuously supported.
