The United States National Security Agency issued a rare advisory urging enterprises and individuals to install the update addressing the BlueKeep vulnerability (CVE-2019-0708) on Windows systems as soon as possible.
The vulnerability, which could let attackers launch remote code execution attacks using Microsoft’s Remote Desktop Services on older Windows systems, is potentially “wormable,” Microsoft warned on May 14 when it released the update. This means malware targeting the vulnerable could potentially propagate itself from machine to machine, spreading rapidly similar to how WannaCry spread within and across vulnerable networks.
“We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw,” the NSA said.
The potential for damage is serious enough to prompt the company to prepare updates for Windows XP and Windows 2003, even though these operating systems entered end-of-life several years ago. Systems running Windows 7, Windows Server 2008, and Windows Server 2008 R2 are also vulnerable and need to be patched.
“It is likely only a matter of time before remote exploitation code is widely available for this vulnerability,” the NSA warned. “NSA is concerned that malicious cyber-actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”
The attack surface is large—Errata Sec’s Robert Graham estimated that approximately 1 million Windows machines accessible from the internet may be vulnerable to BlueKeep. A lot of the focus is currently on Windows XP systems that stubbornly persist, but Windows 7 is still supported and it accounts for a pretty significant number of PCs worldwide. The latest figures from web analytics vendor Net Applications indicate that Windows 7 accounts for 35 percent of all PCs and 40 percent of Windows systems, ComputerWorld reported. In comparison, Windows XP accounts for just 2.2 percent of all PCs and 2.5 percent of Windows machines.
“Potentially millions of machines are still vulnerable,” the NSA said in the advisory.
The attack isn’t limited to only systems directly accessible from the internet. All the machines within the enterprise network that isn’t connected to the Internet but has Remote Desktop Services enabled are vulnerable, and the self-propagation aspect of the vulnerability means the enterprise could wind up battling an infection throughout its entire network.
“It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,” Microsoft warned.
Out-of-Control Worms
The NSA's advisory comes at an interesting time. The agency typically stays in the background and rarely makes public statements about known vulnerabilities. Over the past few days, however, the agency has been pushing back over a recent New York Times piece which connected the NSA's EternalBlue attack tool which exploited a vulnerability in Windows Server Message Block with the ransomware attack which has locked up systems for the city of Baltimore. The Times report claimed that the RobbinHood ransomware strain which crippled Baltimore partly used EternalBlue to spread on the city's IT infrastructure. (A competing report says the ransomware strain does not use EternalBlue at all.) If the NSA hadn't developed (and lost control of) EternalBlue, the attack wouldn't have been so bad, or so the argument goes.
WannaCry and NotPetya both included EternalBlue.
Rob Joyce, a senior adviser at the NSA, said trying to connect the NSA with any attacks using EternalBlue in 2019 ignored the fact that administrators had plenty of time to upate their systems between when the exploit was made public and when the infections hit. “Two years have gone by—network administrators are responsible for ensuring that system patches are up-to-date,” Joyce said at a CrowdStrike event. "Focusing on a single exploit, especially one that has a patch that was issued years ago, is really short-sighted.”
The NSA's BlueKeep advisory makes it clear the agency is concerned about the prospect of another ransomware worm, or one capable of launching widespread denial of service attacks. The NSA reiterated the advice from Microsoft and made many of the same recommendations, such as disabling RDS for remote device network connections and rolling out the patches as soon as possible. where it is not needed and blocking TCP port 3389 at the firewall to block external attempts to establish a connection. Blocking the port doesn’t prevent the exploit from moving within the network, however.
“NSA urges everyone to invest the time and resources to know your network and run supported operating systems with the latest patches,” the agency said.
Administrators should also enable network level authentication, forcing attackers to have valid credentials to perform remote code authentication. If the attackers have already harvested credentials (via Mimikatz or similar tool), they will still be able to execute the attack, but it will block attackers without credentials.
“You may have only one old WinXP machine that's vulnerable, that you don't care if it gets infected with ransomware. But, that machine may have a Domain Admin logged in, so that when the worm breaks in, it grab those credentials and uses them to log onto the Domain Controller. Then, from the Domain Controller, the worm sends a copy of itself to all the desktop and servers in the organization, using those credentials instead of the vuln,” wrote Graham.
Race for an Exploit
Researchers have been studying the vulnerability over the past few weeks. While there are several proofs of concept which trigger blue screen lockups, none of them allow code execution and none of them are being used in the wild, said researcher Kevin Beaumont. McAfee had developed a proof-of-concept which allowed remote code execution shortly after the patch was released. McAfee confirmed that the proof-of-concept didn’t work against a patched system. Beaumont noted that Qihoo360 have claimed to have successfully gotten code execution with BlueKeep.
Another researcher this week claimed to have created a working proof-of-concept Metasploit module which would allow an unauthenticated attacker to fully compromise a target Windows machine in a little over 20 seconds. Zǝɹosum0x0 posted a video on Twitter purporting to show a remote code execution exploit on a Windows 2008 system, but said the module would be kept private since a working exploit could cause widespread damage. The exploit appears to have used Mimikatz to harvest login credentials.
“Still too dangerous to release, lame sorry,” Zǝɹosum0x0 wrote. “Maybe after first mega-worm?”
Although there is some scanning activity looking for vulnerable ports and machines, the volume is still pretty low. However, exploit development is increasingly crowdsourced, and the seriousness of this vulnerability means there is a lot of interest around getting a working exploit.
“My message to security community is be very careful to continue to not expose any remote code execution code in public or even private because this has potential to be extremely messy, the numbers need to come way down,” Beaumont wrote. “Keep calm and patch on - maybe a bit faster…”
Image from Ulrike Leone on Pixabay.