On August 13th, BlueKeep (CVE-2019-0708) – the RDP vulnerability we wrote about in our previous blogpost, struck again. The two news wormable flaws are named BlueKeep II & III (or as some mockingly call it, ‘DejaBlue’). In contrast to their predecessor, they affect all Windows versions (including Server) starting from Windows 7 and up. Microsoft and security experts alike strongly suggest putting system patches as a priority on system administrators’ to-do lists.
What is DejaBlue?
As opposed to GCHQ’s discovery of BlueKeep I, these vulnerabilities were discovered by Microsoft’s own security teams and are listed on the Microsoft Security Response Center:
These individual flaws can each be exploited by malicious entities to hijack vulnerable systems without any form of authentication. In short, a packet of code is sent through the network that gives immediate access to the system without the need to log in. Furthermore, the vulnerability allows for spreading to multiple other connected systems or computers without any form of user interaction, making this a wormable attack.
As they are remote-code execution bugs in RDS, being on the same network as an unpatched machine is enough to seize it. Even worse, if the RDP endpoint is public-facing (something we very strongly advise against) it simply needs to be reached remotely to wreak havoc. An impacted system can give hackers the possibility to steal, delete or modify data, as well as install (hostile) software or run harmful code.
Patch it before you catch it!
The ‘original’ BlueKeep affected older versions of Remote Desktop Services, including legacy systems that have reached the end of life. BlueKeep II and III, however, means trouble for newer systems: “The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2,” says Simon Pope (Director of Incident Response, MSRC), “and all supported versions of Windows 10, including server versions.”
Security experts recommend two things:
- Patch your systems as soon as possible, as the latest Windows patch prevents this exploitation from being possible. Windows offers auto-updates by default, but those that have disabled it should apply this patch
- Turn on Network Level Authentication (NLA). “The affected systems are mitigated against “wormable” malware or advanced malware threats that could exploit the vulnerability,” says Pope, “as NLA requires authentication before the vulnerability can be triggered.”
Avoid RDP vulnerabilities with Awingu
As with BlueKeep I, Awingu can aid you in shielding up against these kinds of wormable vulnerabilities. The RDP access, assuming it is not public-facing, is not established from the machine but over HTTP via a browser instead. In other words, the affected machine does not directly access the RDP infrastructure – the Awingu appliance does that in its place. That implies that your RDP does not have to be publicly exposed to establish a connection to your Windows App Server from anywhere and via any device.
In that case, Awingu acts in the same way as a firewall does: it mitigates the risk of attackers accessing your RDP endpoint and initiating the attack. With the right measures in place, Awingu becomes the single point of entry to your infrastructure and its extensive security measures (including built-in MFA) will keep out any external malicious entities. That being said, it is still the best practice to update your system with the most recent patches at all times to keep your guard up against common exploits.
About the author
Karel Van Ooteghem