NSA Release Advisory on BlueKeep vulnerability (June 5, 2019)

Description

The National Security Agency (NSA) has released a cybersecurity advisory for CVE-2019-0708 (BlueKeep) vulnerability. Although Microsoft has issued a patch, there is a large possibility that millions of computers have not been patched and are exposed to the vulnerability. It is recommended that you take the necessary precautions by ensuring your products are always updated.

CVE-2019-0708 know as “BlueKeep”, is a vulnerability in Remote Desktop Services (RDS) on legacy versions of the windows operating system.

Affected Systems

Listed below are the following versions of Windows affected:

  • Windows XP
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows Server 2008 R2

Mitigation Actions

The NSA urges everyone to invest the time and resources to know their network and ensure operating systems running on the affiliated network has the latest patches installed.

To address CVE-2019-0708, it is advised to immediately apply the following patches for the respective affected versions of windows listed below:

  • Windows XP /Windows Server 2003 – Security Patch KB4500331
  • Windows Vista / Windows Server 2008 – Security Patch KB4499180 OR Monthly Rollup KB4499149
  • Windows 7 / Windows Server 2008 R2 – Security Patch KB4499175 OR Monthly Rollup KB4499164

Given that large networks patch and upgrade have been issued against this threat, there are additional measures that can be considered as described in the Microsoft CVE-2019-0708 security advisory.

  • Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used by the Remote Desktop Protocol (RDP) and will block attempts to establish a connection
  • Enable Network Level Authentication. With NLA enabled, attackers would first have to authenticate to RDS in order to successfully exploit the vulnerability. NLA is available on the Windows 7, Windows Server 2008 and Windows Server 2008 R2 operating systems.
  • Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.

Note that Windows 10 systems are already protected from this vulnerability, as it only affects the older versions of windows listed above.

For more information on the CVE-2019-0708 security advisory you can follow these URLs:

https://www.nsa.gov/Portals/70/documents/what-we do/cybersecurity/professional-resources/csa-bluekeep_20190604.pdf

https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/

https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/

https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708

The Guyana National CIRT recommends users and administration to review these updates and to apply them where necessary.

Reference

•        NSA Release Advisory on BlueKeep vulnerability (US-Cert)

https://www.us-cert.gov/ncas/current-activity/2019/06/04/NSA-Releases-Advisory-BlueKeep-Vulnerability