AA19-168A: Microsoft Operating Systems BlueKeep Vulnerability

["US-CERT" <US-CERT () ncas us-cert gov>]

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:



AA19-168A: Microsoft Operating Systems BlueKeep Vulnerability [ https://www.us-cert.gov/ncas/alerts/AA19-168A ] 
06/17/2019 09:37 AM EDT 
Original release date: June 17, 2019

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this Activity Alert to provide information on a 
vulnerability, known as BlueKeep, that exists in the following Microsoft Windows Operating Systems (OSs), including 
both 32- and 64-bit versions, as well as all Service Pack versions:


  * Windows 2000 
  * Windows Vista 
  * Windows XP 
  * Windows 7 
  * Windows Server 2003 
  * Windows Server 2003 R2 
  * Windows Server 2008 
  * Windows Server 2008 R2 

An attacker can exploit this vulnerability to take control of an affected system.  

Technical Details

BlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows OSs listed 
above. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system.

According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP 
enabled.[1] [ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 ] After successfully 
sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user 
rights; viewing, changing, or deleting data; or installing programs. This exploit, which requires no user interaction, 
must occur before authentication to be successful.

BlueKeep is considered wormable because malware exploiting this vulnerability on a system could propagate to other 
vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry 
malware attacks of 2017.[2] [ 
https://www.whitehouse.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/
 ]

CISA tested BlueKeep against a Windows 2000 machine and achieved remote code execution. Windows OS versions prior to 
Windows 8 that are not mentioned in this Activity Alert may also be affected; however, CISA has not tested these 
systems. 

Mitigations

CISA encourages users and administrators review the Microsoft Security Advisory [3] [ 
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 ] and the Microsoft Customer Guidance 
for CVE-2019-0708 [4] [ https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708 ] and 
apply the appropriate mitigation measures as soon as possible:


  * *Install available patches.* Microsoft has released security updates to patch this vulnerability. Microsoft has 
also released patches for a number of OSs that are no longer officially supported, including Windows Vista, Windows XP, 
and Windows Server 2003. As always, CISA encourages users and administrators to test patches before installation. 
  * *Upgrade end-of-life (EOL) OSs.* Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, 
supported OS, such as Windows 10. 
  * *Disable unnecessary services.* Disable services not being used by the OS. This best practice limits exposure to 
vulnerabilities.  
  * *Enable Network Level Authentication.* Enable Network Level Authentication in Windows 7, Windows Server 2008, and 
Windows Server 2008 R2. Doing so forces a session request to be authenticated and effectively mitigates against 
BlueKeep, as exploit of the vulnerability requires an unauthenticated session. 
  * *Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall.* Because port 3389 is 
used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the users 
network. However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being 
initiated inside a network. 

References

  * [1] Microsoft Security Advisory for CVE-2019-0708 [ 
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 ] 
  * [2] White House Press Briefing on the Attribution of the WannaCry Malware Attack to North Korea [ 
https://www.whitehouse.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/
 ] 
  * [3] Microsoft Security Advisory for CVE-2019-0708 [ 
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 ] 
  * [4] Microsoft Customer Guidance for CVE-2019-0708 [ 
https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708 ] 

Revisions

  * June 17, 2019: Initial version 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: normal; font-style: normal; color: 
#333333; } ________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ]  

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]