The Cybersecurity and Infrastructure Security Agency (CISA) published an alert for Windows users to patch the critical severity Remote Desktop Services (RDS) RCE security flaw known as BlueKeep.

The Department of Homeland Security's CISA says in the alert issued today that it has achieved remote code execution on a computer running a vulnerable version of Windows 2000.

CISA tested BlueKeep against a Windows 2000 machine and achieved remote code execution. Windows OS versions prior to Windows 8 that are not mentioned in this Activity Alert may also be affected; however, CISA has not tested these systems.

Previous BlueKeep warnings

This is the fourth warning for users to patch or upgrade their systems after two others from Microsoft [1, 2] and one from the U.S. National Security Agency (NSA).

The remote code execution vulnerability tracked as CVE-2019-0708 is present in Remote Desktop Services and it allows remote unauthenticated attackers to run arbitrary code, conduct denial of service attacks, and potentially take control of vulnerable systems.

BlueKeep impacts multiple Windows versions, from Windows XP, Windows Vista, and Windows 7 to Windows Server 2003 and Windows Server 2008, including versions where Service Packs were installed.

"BlueKeep is considered 'wormable' because malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017," as CISA explains.

BlueKeep mitigation measures

CISA provides the following mitigation measures for the BlueKeep security flaw in its AA19-168A alert:

Install available patches. Microsoft has released security updates to patch this vulnerability. Microsoft has also released patches for a number of OSs that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003. As always, CISA encourages users and administrators to test patches before installation.

Microsoft has released security updates to patch this vulnerability. Microsoft has also released patches for a number of OSs that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003. As always, CISA encourages users and administrators to test patches before installation. Upgrade end-of-life (EOL) OSs. Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10.

Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10. Disable unnecessary services. Disable services not being used by the OS. This best practice limits exposure to vulnerabilities.

Disable services not being used by the OS. This best practice limits exposure to vulnerabilities. Enable Network Level Authentication. Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. Doing so forces a session request to be authenticated and effectively mitigates against BlueKeep, as exploit of the vulnerability requires an unauthenticated session.

Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. Doing so forces a session request to be authenticated and effectively mitigates against BlueKeep, as exploit of the vulnerability requires an unauthenticated session. Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall. Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network. However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.

While Microsoft advises enabling Network Level Authentication (NLA) for Remote Desktop Services Connections on unpatched Windows systems to temporarily mitigate the flaw, this could expose the machines to the abuse by local attackers of a new RDS bug disclosed in early June.

Users and Windows administrators are also advised by CISA to review both the Microsoft Customer Guidance for CVE-2019-0708 and the BlueKeep Microsoft Security Advisory.

POCs and scanners available, RCE achieved

Since Microsoft released patches for all vulnerable versions of Windows, several security vendors and researchers have created and demoed proof-of-concept exploits capable of exploiting this vulnerability.

While none of them have been released in the wild, CISA has now confirmed that BlueKeep can be exploited remotely to run arbitrary code which means that malware developers and threat actors alike can achieve the same result any time now.

Security researchers have also created scripts and tools that could be used to find vulnerable Windows machines so that they can be patched.

In addition, there are also some scanning tools that can be used to detect machines vulnerable to BlueKeep, as well as detection rules such as the BlueKeep signature for Suricata IDS/IPS created by the NCC Group.