바로가기

Security Alert



Alert – Microsoft Remote Desktop Protocol (RDP) vulnerability named BlueKeep. 2019-06-19

Specification
Microsoft Remote Desktop Protocol (RDP) vulnerability named BlueKeep (CVE-2019-0708) and successful exploitation of this vulnerability could allow an unauthenticated attacker to gain full user privileges on the exploited system and allow the attacker to install programs, view/change or data on affected systems.
Microsoft has classified this vulnerability, now called “BlueKeep” as being a “wormable” exploit and also a “Critical” issue. This means that a malware exploiting this vulnerability can spread to other vulnerable machines without requiring user interactions without requiring user interactions, similar to the “WannaCry” vulnerability. Systems running Windows 10 and Windows 8 operating systems are not affected by this vulnerability.

Vulnerable or affected systems:
• Windows 2000
• Windows Vista
• Windows XP
• Windows 7
• Windows Server 2003
• Windows Server 2003 R2
• Windows Server 2008
• Windows Server 2008 R2
Solution:
Recommendation

Fix: Microsoft has released s for its currently supported operating systems: Windows 7, Windows Server 2008 R2, and Windows Server 2008. Microsoft has also released s for its currently unsupported operating systems: Windows Server 2003 and Windows XP. It is recommended that external facing servers, with RDP enabled, be patched as soon as possible, followed by internal servers with RDP enabled and other internal workstations. Note: it is recommended that the patch be tested before live deployment.


Mitigation:
• Disable Remote Desktop Services if these are not being used/not business critical: If you no longer need these services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.

Workarounds:
• Enable Network Level Authentication on Windows 7, Windows Server 2008 and Windows Server 2008 R2 which support this feature: Network Level Authentication is enabled to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.
• Block RDB services (port 3389) on perimeter / enterprise firewalls to prevent attack from external parties or make it accessible only over a private VPN: TCP port 3389 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.
• Upgrade end-of-life (EOL) Oss: Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10
Affected users should: contact RW-CSIRT: Call 4045 or write to security@risa.rw to help for analyzing the source of the incident and recommendation.
Visit the links below and follow the instructions given by respective vendors.
https://www.us-cert.gov/ncas/alerts/AA19-168A
https://thehackernews.com/2019/05/bluekeep-rdp-vulnerability.html
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve2019-0708
https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updatingremote-desktop-services-cve-2019-0708/
- Previous Alert – Remote Desktop services Remote Code Execution vulnerability
- Next Alert – New DNS Vulnerability Lets Attackers Launch Large-Scale DDoS Attacks
list