Summary
The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert to provide information about a vulnerability, known as “BlueKeep,” that exists in the following Microsoft Windows operating systems (OS), including 32- and 64-bit versions, as well as all service pack versions:
- Windows 2000
- Windows Vista
- Windows XP
- Windows 7
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2008
- Windows Server 2008 R2
An attacker can exploit this vulnerability to take control of an affected system.
Technical details
BlueKeep (CVE-2019-0708) exists in the Remote Desktop Protocol (RDP) used by the Microsoft Windows operating systems listed above. An attacker can exploit this vulnerability to execute code remotely on an unprotected system.
According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled.[1] After successfully sending the packets, the attacker would have the opportunity to perform a number of actions: add accounts with full user rights; consult, modify or delete data; or install programs. This exploit, which requires no user interaction, must occur before authentication is successful.
BlueKeep is considered “wormable” because malware exploiting this vulnerability on one system could spread to other vulnerable systems; thus, a BlueKeep exploit would be able to spread rapidly in a manner similar to the WannaCry malware attacks of 2017.[2]
CISA has coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep.
Mitigations
CISA encourages users and administrators to review the Microsoft security advisory [1] and Microsoft Customer Guide for CVE-2019-0708 [3] and apply appropriate mitigation measures as quickly as possible:
- Install the available patches. Microsoft has released security updates to address this vulnerability. Microsoft has also released fixes for a number of operating systems that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003. As always, CISA encourages users and administrators to test fixes before installation.
For operating systems that are not patched or systems that cannot be patched, other mitigations can be used to help protect against BlueKeep:
- Upgrade end-of-life (EOL) operating systems. Consider upgrading any EOL operating system that is no longer supported by Microsoft to a newer, supported operating system, such as Windows 10.
- Disable unnecessary services. Disable services not used by the operating system. This good practice limits exposure to vulnerabilities.
- Enable network-level authentication. Enable network-level authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. This forces authentication of a session request and effectively mitigates BlueKeep, as exploiting the vulnerability requires an unauthenticated session.
- Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall. Since port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network. However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being launched within a network.
Revisions
June 17, 2019: Initial release
June 17, 2019: Revised technical details section.
