CVE-2019-0708 (BlueKeep) Coming soon to a computer near you
CVE 2019-0708 (BlueKeep) has the potential to disrupt industry on a scale rarely seen, it has according to many observers the potential to eclipse Wannacry.
Computer vulnerabilities are ranked on the CVE scale of 1-10. The BlueKeep (CVE-2019-0708) vulnerability is a 9.8 (almost a Bo Derek for anyone old enough to remember this weeks obscure reference) on the scale as such it is deemed very serious.
CVE is based on data taken from the NVD (National Vulnerability Database which provides the basis for CVSS (The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities).
What makes this vulnerability stand out from the crowd and what makes it so potentially damaging is that; the potential exploit requires no user interaction or password to enter a system. The upshot is that an attacker who has successfully exploited this vulnerability would have complete access to a compromised system.
So should I be worried?
Yes you should worry and act now, as failure to follow up has potentially disastrous implications once an exploit is in the “Wild”.
If your organization is running one of these listed vulnerable systems, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows 2003 and Windows XP. You need to take imme diate action as we believe this vulnerability may pose a significant risk to your computer systems.
Additionally you may wish to disable RDP on newer systems where RDP has been turned on.
On 4th June 2019, another related RDP security vulnerability – (CVE-2019-9510) – was reported by the CERT Coordination Center at the Carnegie Mellon University.
No patches for this flaw are currently available. Nonetheless, Microsoft notes that the concern is not a bug, “but a feature instead”.
This new flaw or feature as Microsoft refer to it, may affect Windows 10 1803, Windows Server 2019 or newer systems using RDP, at present it is considered less of a problem than the BlueKeep flaw.
Our advice to all organisations is that as a rule disabling RDS and RDP is the best policy, unless RDP is vital to your operation in which case you need to implement strict procedures and policies.
As an additional precaution make sure your Firewalls are set to block the relevant ports relating to RDP.
Over 1 million computers vulnerable to CVE 2019-0708 (BlueKeep)
According to the initial Microsoft announcement with regard to BlueKeep, the flaw “is ‘wormable’. In essence any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer.
Exploits in all probability will have learned the lessons of Wannacry, adopting a similar distribution strategy propagating itself in a similar way to the infamous WannaCry malware that spread panic across the globe in 2017.
An update to the initial announcement stated “if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise.”
Microsoft has released an update which fixes the vulnerability and strongly advises that all affected systems should be updated as soon as possible.
We have provided frequently asked questions below contact us if you have any further questions about this vulnerability or need assistance.
Frequently Asked Questions
What is CVE-2019-0708 (BlueKeep)
CVE (Common Vulnerabilities and Exposures) is a list of publicly disclosed cybersecurity vulnerabilities and exposures that are rated 1-10 in severity. CVE-2019-0708 is a severe vulnerability (9.8) identified by researchers in a feature called RDP found in older versions of Windows
What is RDP
RDP (Remote Desktop Protocol) is a standard feature enabled by default in older versions of Windows to allow a user to logon remotely to another windows machine. It is commonly used to connected to servers or other workstations located remotely (either in a data centre, or another office location)
Which versions of Windows are affected?
The full list of systems affected are here https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 which includes Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows 2003 and Windows XP.
How serious is this?
All vulnerabilities are ranked on the CVE scale of 1-10. this vulnerability is a 9.8 on the scale so it is deemed very serious. BlueKeep potentially allows a potential exploit access without user interaction or password to enter a system. The cybercriminal who has successfully exploited this vulnerability would have complete access to a compromised system.
Is there currently an exploit for this vulnerability?
At present a number of security research companies claim to have a working exploit for this, but none of them have released it.
It has been claimed that bad actors are actively scanning for this vulnerability with a view to future exploitation. In addition the well-respected SANS institute in the US published guidance a week ago that stated “exploit development is active, and I don’t think you have more than a week.”
What does ‘wormable’ mean?
This term means this vulnerability could propagate from vulnerable computer to vulnerable computer by replicating copies of itself without the need for a host program or human interaction. A good example of a computer worm is the WannaCry malware that spread panic across the globe in 2017, infecting over 200,000 computers in a couple of days and having significant impact to services at a number of high-profile organisations including the UK’s NHS.
How do I check which version of Windows I am running?
You will need to audit the systems across your network to assess your exposure to this exploit, one vulnerable unpatched system will be one too many, and in risk terms the chances of an active exploit increase each day exponentially.
What happens if I do not install the new security update?
Failure to take action at a minimum to install the new security patch, your Windows system, and eventually your entire network, are at an exponentially increasing risk of being exploited.
Make no mistake this vulnerability is the most severe type.
Once a delivery system is in the hands of Cybercriminals affected machines will provide practically unfettered access to your machine. This opens the path to a full spectrum of potential exploitative behavior including but not limited to theft of your data, use your machine(s) to attack other companies or encrypt, wipe and/or disable your machine(s).
How do I apply the update?
Follow Microsoft’s instructions here: Microsoft Update Guidance we strongly suggest you apply the update on a test or less critical service before rolling it out more widely.
What should I do if I have a Mac?
Mac computers are not directly vulnerable to this particular vulnerability, of course if your network has been compromised they are as vulnerable as everything else. As ever we would encourage you to keep all devices patched and up-to-date.