ProCircular Information Security Experts Corner

Flashbriefing: Bluekeep Vulnerability

Posted by Scott Taft on Sep 6, 2019 4:10:00 PM

There has been a recent development regarding a potent vulnerability. To help you stay ahead of the situation, please read the following to learn what the exploit is capable of and what can be done to protect against the it.

In May, a vulnerability known as BlueKeep was disclosed to the public alongside a Microsoft Patch for the issue. The patch included an unusual out of band update for the end of life Windows XP operating system. This is not something that Microsoft does very often and never without good reason. The last notable patch that received this treatment was the EternalBlue exploit that was responsible for the spread of the WannaCry ransomware.

The BlueKeep exploit was only the first in a wave of several vulnerabilities that were recently disclosed in August (collectively known as DejaBlue). This collection of exploits takes advantage of issues within the Windows Remote Desktop Protocol (RDP). RDP, as its name implies, creates a remote session for a user to interact with a machine. This protocol is intended for internal use only, but it is commonly found publicly available on the internet for added convenience. Externally available RDP has always been a bad idea, as it's a common target of attackers who attempt to brute force passwords. With this new exploit, the brute force step can be bypassed by sending specially crafted packets to gain a remote shell on the machine with the permissions of System NT. System NT is the “God Mode” of permissions allowing an attacker to do anything they desire on the machine. What makes this vulnerability even more dangerous is that it can be used in a wormable attack. This means that once one machine is infected it can automatically spread its infection to other vulnerable machines.

Today (September 6, 2019), Rapid 7 released a new module to the Metasploit attack platform that contains a working exploit of the BlueKeep vulnerability that works on Windows 7, 2008 and 2008R2. Unfortunately, an attacker does not need to be extremely skilled in order to make this attack work. We expect attacks for this exploit to be widespread in a short amount of time.

Luckily, this can be fixed by simply applying the appropriate Windows patch that fixes the issue that allows the attack. The security patches can be found at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 as well as notes and workarounds for the exploit. Other things that you can do is enable Network Level Authentication which will prevent unauthenticated attackers from being able to exploit the system. RDP should also be firewalled off from the internet by blocking port 3389.

If you have any questions or concerns, don’t hesitate to reach out to us.

Contact ProCircular

Topics: Cybersecurity, Incident Response, hacking, security incident response

ProCircular is a Full-Service Information Security Firm

We are passionate about helping businesses navigate the complex world of information security, and our blog is another great source of inforamtion. We can assist you no matter where you are in your security maturity journey:

  • Breached or hit with ransomware?
  • Don't know where to start? 
  • Looking to confirm your security with a third party?

Secure your future with ProCircular.

Recent Posts

Subscribe to Email Updates