Microsoft has made some highly important recommendations for the users of Windows OS to protect against the BlueKeep vulnerability.
BlueKeep (CVE-2019-0708) is a wormable vulnerability that exists in the Remote Desktop Protocol (RDP) used by the Windows OS, including both 32- and 64-bit versions, and Service Pack versions.
According to Microsoft’s Detection and Response Team (DART), this vulnerability can cause large-scale outbreaks like WannaCry and Conflicker. What BlueKeep does is allow the attackers to exploit the vulnerability to perform remote code execution on the unprotected systems.
The attackers can perform several actions on the vulnerable systems, like adding accounts with full user rights, view/change/delete the data, or install programs. It doesn’t require any user interaction and the attack can happen without authentication.
The DART team said that there are more than 400K endpoints that lack any network level authentication. All these systems are at potential risk from the BlueKeep vulnerability.
“By exploiting a vulnerable RDP system, attackers will also have access to all user credentials used on the RDP system,” warned Microsoft DART team in a blog post.
To prevent against BlueKeep vulnerability, Microsoft has strongly recommended users to apply the Windows update. It’s critical for the users to apply all the updates if they are using Remote Desktop in their environment.
For the users who have RDP listening on the internet, it is recommended to move the RDP listener behind a second factor authentications, like VPN, SSL Tunnel, or RDP gateway.
Furthermore, Microsoft advised enabling Network Level Authentication (NLA) to protect un-authenticated access to the RDP tunnel.
“The DART team highly recommends you enable NLA regardless of this patch, as it mitigates a whole slew of other attacks against RDP,” added Microsoft.
Microsoft has also taken an unusual step to provide a security update to all the customers, including some out-of-support versions of Windows.