BlueKeep

Last updated

BlueKeep
BlueKeep logo.svg
A logo created for the vulnerability, featuring a keep, a fortified tower built within castles
CVE identifier(s) CVE- 2019-0708
Date patched14 May 2019;5 years ago (2019-05-14) [1]
Discoverer UK National Cyber Security Centre [2]
Affected softwarepre-Windows 8 versions of Microsoft Windows

BlueKeep (CVE - 2019-0708) is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

Contents

First reported in May 2019, it is present in all unpatched Windows NT-based versions of Microsoft Windows from Windows 2000 through Windows Server 2008 R2 and Windows 7. Microsoft issued a security patch (including an out-of-band update for several versions of Windows that have reached their end-of-life, such as Windows XP) on 14 May 2019. On 13 August 2019, related BlueKeep security vulnerabilities, collectively named DejaBlue, were reported to affect newer Windows versions, including Windows 7 and all recent versions up to Windows 10 of the operating system, as well as the older Windows versions. [3] On 6 September 2019, a Metasploit exploit of the wormable BlueKeep security vulnerability was announced to have been released into the public realm. [4]

History

The BlueKeep security vulnerability was first noted by the UK National Cyber Security Centre [2] and, on 14 May 2019, reported by Microsoft. The vulnerability was named BlueKeep by computer security expert Kevin Beaumont on Twitter. BlueKeep is officially tracked as: CVE- 2019-0708 and is a "wormable" remote code execution vulnerability. [5] [6]

Both the U.S. National Security Agency (which issued its own advisory on the vulnerability on 4 June 2019) [7] and Microsoft stated that this vulnerability could potentially be used by self-propagating worms, with Microsoft (based on a security researcher's estimation that nearly 1 million devices were vulnerable) saying that such a theoretical attack could be of a similar scale to EternalBlue-based attacks such as NotPetya and WannaCry. [8] [9] [7]

On the same day as the NSA advisory, researchers of the CERT Coordination Center disclosed a separate RDP-related security issue in the Windows 10 May 2019 Update and Windows Server 2019, citing a new behaviour where RDP Network Level Authentication (NLA) login credentials are cached on the client system, and the user can re-gain access to their RDP connection automatically if their network connection is interrupted. Microsoft dismissed this vulnerability as being intended behaviour, and it can be disabled via Group Policy. [10]

As of 1 June 2019, no active malware of the vulnerability seemed to be publicly known; however, undisclosed proof of concept (PoC) codes exploiting the vulnerability may have been available. [8] [11] [12] [13] On 1 July 2019, Sophos, a British security company, reported on a working example of such a PoC, in order to emphasize the urgent need to patch the vulnerability. [14] [15] [16] On 22 July 2019, more details of an exploit were purportedly revealed by a conference speaker from a Chinese security firm. [17] On 25 July 2019, computer experts reported that a commercial version of the exploit may have been available. [18] [19] On 31 July 2019, computer experts reported a significant increase in malicious RDP activity and warned, based on histories of exploits from similar vulnerabilities, that an active exploit of the BlueKeep vulnerability in the wild might be imminent. [20]

On 13 August 2019, related BlueKeep security vulnerabilities, collectively named DejaBlue, were reported to affect newer Windows versions, including Windows 7 and all recent versions of the operating system up to Windows 10, as well as the older Windows versions. [3]

On 6 September 2019, an exploit of the wormable BlueKeep security vulnerability was announced to have been released into the public realm. [4] The initial version of this exploit was, however, unreliable, being known to cause "blue screen of death" (BSOD) errors. A fix was later announced, removing the cause of the BSOD error. [21]

On 2 November 2019, the first BlueKeep hacking campaign on a mass scale was reported, and included an unsuccessful cryptojacking mission. [22]

On 8 November 2019, Microsoft confirmed a BlueKeep attack, and urged users to immediately patch their Windows systems. [23]

Mechanism

The RDP protocol uses "virtual channels", configured before authentication, as a data path between the client and server for providing extensions. RDP 5.1 defines 32 "static" virtual channels, and "dynamic" virtual channels are contained within one of these static channels. If a server binds the virtual channel "MS_T120" (a channel for which there is no legitimate reason for a client to connect to) with a static channel other than 31, heap corruption occurs that allows for arbitrary code execution at the system level. [24]

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 were named by Microsoft as being vulnerable to this attack. Versions newer than 7, such as Windows 8, Windows 10 and Windows 11, were not affected. The Cybersecurity and Infrastructure Security Agency stated that it had also successfully achieved code execution via the vulnerability on Windows 2000. [25]

Mitigation

Microsoft released patches for the vulnerability on 14 May 2019, for Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2. This included versions of Windows that have reached their end-of-life (such as Vista, XP, and Server 2003) and thus are no longer eligible for security updates. [8] The patch forces the aforementioned "MS_T120" channel to always be bound to 31 even if requested otherwise by an RDP server. [24]

The NSA recommended additional measures, such as disabling Remote Desktop Services and its associated port (TCP 3389) if it is not being used, and requiring Network Level Authentication (NLA) for RDP. [26] According to computer security company Sophos, two-factor authentication may make the RDP issue less of a vulnerability. However, the best protection is to take RDP off the Internet: switch RDP off if not needed and, if needed, make RDP accessible only via a VPN. [27]

See also

Related Research Articles

<span class="mw-page-title-main">Windows XP</span> Microsoft PC operating system released in 2001

Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and business users and Windows Me for home users, and is available for any devices running Windows NT 4.0, Windows 98, Windows 2000, or Windows Me that meet the new Windows XP system requirements.

<span class="mw-page-title-main">Blaster (computer worm)</span> 2003 Windows computer worm

Blaster was a computer worm that spread on computers running operating systems Windows XP and Windows 2000 during August 2003.

Sasser is a computer worm that affects computers running vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000. Sasser spreads by exploiting the system through a vulnerable port. Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update. The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier. The most characteristic experience of the worm is the shutdown timer that appears due to the worm crashing LSASS.

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft Corporation which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

In computing, Download.ject is a malware program for Microsoft Windows servers. When installed on an insecure website running on Microsoft Internet Information Services (IIS), it appends malicious JavaScript to all pages served by the site.

Patch Tuesday is an unofficial term used to refer to when Microsoft, Adobe, Oracle and others regularly release software patches for their software products. It is widely referred to in this way by the industry. Microsoft formalized Patch Tuesday in October 2003. Patch Tuesday is known within Microsoft also as the "B" release, to distinguish it from the "C" and "D" releases that occur in the third and fourth weeks of the month, respectively.

The Sadmind worm was a computer worm which exploited vulnerabilities in both Sun Microsystems' Solaris and Microsoft's Internet Information Services, for which a patch had been made available seven months earlier. It was discovered on May 8, 2001.

The Windows Metafile vulnerability—also called the Metafile Image Code Execution and abbreviated MICE—is a security vulnerability in the way some versions of the Microsoft Windows operating system handled images in the Windows Metafile format. It permits arbitrary code to be executed on affected computers without the permission of their users. It was discovered on December 27, 2005, and the first reports of affected computers were announced within 24 hours. Microsoft released a high-priority update to eliminate this vulnerability via Windows Update on January 5, 2006. Attacks using this vulnerability are known as WMF exploits.

<span class="mw-page-title-main">Windows Server 2008 R2</span> Fifth version of Windows Server, released in 2009

Windows Server 2008 R2, codenamed "Windows Server 7", is the eighth version of the Windows Server operating system produced by Microsoft and released as part of the Windows NT family of operating systems. It was released to manufacturing on July 22, 2009, and became generally available on October 22, 2009, the same respective release dates of Windows 7. It is the successor to Windows Server 2008, which is derived from the Windows Vista codebase, released the previous year, and was succeeded by the Windows 8-based Windows Server 2012.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.

CPLINK and Win32/CplLnk.A are names for a Microsoft Windows shortcut icon vulnerability discovered in June 2010 and patched on 2 August that affected all Windows operating systems. The vulnerability is exploitable when any Windows application that display shortcut icons, such as Windows Explorer, browses to a folder containing a malicious shortcut. The exploit can be triggered without any user interaction, regardless where the shortcut file is located.

<span class="mw-page-title-main">2X Software</span> Maltese software company

2X Software was a Maltese software company specializing in virtual desktop, application virtualization, application delivery, Remote Desktop Services, remote access and Mobile Device Management. On 25 February 2015, 2X Software was acquired by Parallels, Inc. The 2X products, Remote Application Server and Mobile Device Management, are now included in Parallels' offering.

FREAK is a security exploit of a cryptographic weakness in the SSL/TLS protocols introduced decades earlier for compliance with U.S. cryptography export regulations. These involved limiting exportable software to use only public key pairs with RSA moduli of 512 bits or fewer, with the intention of allowing them to be broken easily by the National Security Agency (NSA), but not by other organizations with lesser computing resources. However, by the early 2010s, increases in computing power meant that they could be broken by anyone with access to relatively modest computing resources using the well-known Number Field Sieve algorithm, using as little as $100 of cloud computing services. Combined with the ability of a man-in-the-middle attack to manipulate the initial cipher suite negotiation between the endpoints in the connection and the fact that the finished hash only depended on the master secret, this meant that a man-in-the-middle attack with only a modest amount of computation could break the security of any website that allowed the use of 512-bit export-grade keys. While the exploit was only discovered in 2015, its underlying vulnerabilities had been present for many years, dating back to the 1990s.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that, at the time, allowed users to gain access to any number of computers connected to a network. The NSA had known about this vulnerability for several years but had not disclosed it to Microsoft yet, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

<span class="mw-page-title-main">Spectre (security vulnerability)</span> Processor security vulnerability

Spectre is one of the two original transient execution CPU vulnerabilities, which involve microarchitectural side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

SMBGhost is a type of security vulnerability, with wormlike features, that affects Windows 10 computers and was first reported publicly on 10 March 2020.

SIGRed is a security vulnerability discovered in Microsoft's Domain Name System (DNS) implementation of Windows Server versions from 2003 to 2019.

PrintNightmare is a critical security vulnerability affecting the Microsoft Windows operating system. The vulnerability occurred within the print spooler service. There were two variants, one permitting remote code execution (CVE-2021-34527), and the other leading to privilege escalation (CVE-2021-1675). A third vulnerability (CVE-2021-34481) was announced July 15, 2021, and upgraded to remote code execution by Microsoft in August.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

References

  1. Foley, Mary Jo (2019-05-14). "Microsoft patches Windows XP, Server 2003 to try to head off 'wormable' flaw". ZDNet . Archived from the original on 2019-06-04. Retrieved 2019-06-07.
  2. 1 2 Microsoft (May 2019). "Security Update Guide - Acknowledgements, May 2019". Microsoft . Archived from the original on 2019-11-23. Retrieved 2019-06-07.
  3. 1 2 Greenberg, Andy (2019-08-13). "DejaBlue: New BlueKeep-Style Bugs Renew The Risk Of A Windows worm". Wired . Archived from the original on 2021-04-13. Retrieved 2019-08-13.
  4. 1 2 Goodin, Dan (2019-09-06). "Exploit for wormable BlueKeep Windows bug released into the wild - The Metasploit module isn't as polished as the EternalBlue exploit. Still, it's powerful". Ars Technica . Archived from the original on 2019-11-27. Retrieved 2019-09-06.
  5. "Customer guidance for CVE-2019-0708 - Remote Desktop Services Remote Code Execution Vulnerability". Microsoft . 2019-05-14. Archived from the original on 2019-09-13. Retrieved 2019-05-29.
  6. "CVE-2019-0708 Remote Desktop Services Remote Code Execution Vulnerability - Security Vulnerability". Microsoft . 2019-05-14. Archived from the original on 2019-05-29. Retrieved 2019-05-28.
  7. 1 2 Cimpanu, Catalin. "Even the NSA is urging Windows users to patch BlueKeep (CVE-2019-0708)". ZDNet. Archived from the original on 2019-09-06. Retrieved 2019-06-20.
  8. 1 2 3 Goodin, Dan (2019-05-31). "Microsoft practically begs Windows users to fix wormable BlueKeep flaw". Ars Technica . Archived from the original on 2019-07-22. Retrieved 2019-05-31.
  9. Warren, Tom (2019-05-14). "Microsoft warns of major WannaCry-like Windows security exploit, releases XP patches". The Verge. Archived from the original on 2019-09-02. Retrieved 2019-06-20.
  10. "Microsoft dismisses new Windows RDP 'bug' as a feature". Naked Security. 2019-06-06. Archived from the original on 2019-12-17. Retrieved 2019-06-20.
  11. Whittaker, Zack (2019-05-31). "Microsoft warns users to patch as exploits for 'wormable' BlueKeep bug appear". TechCrunch . Archived from the original on 2019-05-31. Retrieved 2019-05-31.
  12. O'Neill, Patrick Howell (2019-05-31). "You Need to Patch Your Older Windows PCs Right Now to Patch a Serious Flaw". Gizmodo . Archived from the original on 2019-06-01. Retrieved 2019-05-31.
  13. Winder, Davey (2019-06-01). "Microsoft Issues 'Update Now' Warning To Windows Users". Forbes . Archived from the original on 2019-06-01. Retrieved 2019-06-01.
  14. Palmer, Danny (2019-07-02). "BlueKeep: Researchers show how dangerous this Windows exploit could really be - Researchers develop a proof-of-concept attack after reverse engineering the Microsoft BlueKeep patch". ZDNet . Archived from the original on 2019-07-02. Retrieved 2019-07-02.
  15. Stockley, Mark (2019-07-01). "RDP BlueKeep exploit shows why you really, really need to patch". NakedSecurity.com. Archived from the original on 2019-12-07. Retrieved 2019-07-01.
  16. Staff (2019-05-29). "CVE-2019-0708: Remote Desktop Services remote code execution vulnerability (known as BlueKeep) - Technical Support Bulletin". Sophos . Archived from the original on 2019-07-03. Retrieved 2019-07-02.
  17. Goodin, Dan (2019-07-22). "Chances of destructive BlueKeep exploit rise with new explainer posted online - Slides give the most detailed publicly available technical documentation seen so far". Ars Technica . Archived from the original on 2019-11-08. Retrieved 2019-07-23.
  18. Cimpanu, Catalin (2019-07-25). "US company selling weaponized BlueKeep exploit - An exploit for a vulnerability that Microsoft feared it may trigger the next WannaCry is now being sold commercially". ZDNet . Archived from the original on 2019-11-08. Retrieved 2019-07-25.
  19. Franceschi-Bicchieral, Lorenzo (2019-07-26). "Cybersecurity Firm Drops Code for the Incredibly Dangerous Windows 'BlueKeep' Vulnerability - Researchers from U.S. government contractor Immunity have developed a working exploit for the feared Windows bug known as BlueKeep". Vice . Archived from the original on 2019-07-26. Retrieved 2019-07-26.
  20. Rudis, Bob (2019-07-31). "BlueKeep Exploits May Be Coming: Our Observations and Recommendations". Rapid7.com. Archived from the original on 2019-08-01. Retrieved 2019-08-01.
  21. Cimpanu, Catalin (2019-11-11). "BlueKeep exploit to get a fix for its BSOD problem". ZDNet. Archived from the original on 2019-11-18. Retrieved 2019-11-13.
  22. Greenberg, Andy (2019-11-02). "The First BlueKeep Mass Hacking Is Finally Here—but Don't Panic - After months of warnings, the first successful attack using Microsoft's BlueKeep vulnerability has arrived—but isn't nearly as bad as it could have been". Wired . Archived from the original on 2019-12-02. Retrieved 2019-11-03.
  23. "Microsoft works with researchers to detect and protect against new RDP exploits". Microsoft. 2019-11-07. Archived from the original on 2019-11-23. Retrieved 2019-11-09.
  24. 1 2 "RDP Stands for "Really DO Patch!" – Understanding the Wormable RDP Vulnerability CVE-2019-0708". McAfee Blogs. 2019-05-21. Archived from the original on 2020-03-07. Retrieved 2019-06-19.
  25. Tung, Liam. "Homeland Security: We've tested Windows BlueKeep attack and it works so patch now". ZDNet. Archived from the original on 2019-06-19. Retrieved 2019-06-20.
  26. Cimpanu, Catalin. "Even the NSA is urging Windows users to patch BlueKeep (CVE-2019-0708)". ZDNet. Archived from the original on 2019-09-06. Retrieved 2019-06-20.
  27. Stockley, Mark (2019-07-17). "RDP exposed: the wolves already at your door". Sophos . Archived from the original on 2019-10-18. Retrieved 2019-07-17.