Nine days have passed since Microsoft has corrected the BlueKeep-known high-severity vulnerability, yet there are still bad advices about the potential to cause global disruption.
Until recently, there was little independent confirmation that exploits could spread in a computer-to-computer fashion that had not been seen worldwide since the worms were shut down by WannaCry and NotPetya in 201
Until recently, according to Microsoft, researchers had to take the vulnerability seriously. Then, five researchers from security firm McAfee said they were able to exploit the vulnerability and reach remote code execution without the end user having to intervene. The release confirmed that CVE-2019-0708 is as critical as the vulnerability was indexed, as Microsoft had announced.
"Responsible disclosure holds a gray area," the researchers wrote. "With our investigation, we can confirm that the exploit is working and that it is possible to remotely execute code on a vulnerable system without authentication."
Just a matter of time
Two more posts on BlueKeep were posted on Wednesday. The ESET security firm was succinctly titled "Patch now! Why the BlueKeep vulnerability is a big deal." ESET security evangelist Ondrej Kubovič wrote: "At the moment, it's only a matter of time before someone publishes a working exploit In this case, it will likely become popular with less-experienced cybercriminals and lucrative capital for its creator. "
The vulnerability is due to Microsoft's proprietary Remote Desktop Protocol, which provides a graphical interface for connecting to another computer over the Internet To exploit the vulnerability that exists in older versions of Windows, but not in the much-better-secured versions of Windows 8 and 10, an attacker would only need specific packages to a vulnerable RDP-enabled co send mputer Very unusual step to release patches for Windows 2003, XP and Vista that have not been supported for four, five and seven years.
] In a separate post, released Wednesday, security organization SANS continued to exchange blown warnings.
"If you're vulnerable, you'll find two basic vulnerabilities in your network: you're still running Windows 7 (or XP ??), and you're doing RDP as well," wrote SANS research dean Johannes B. Ullrich. "Neither is good, neither problem needs to be addressed. With this focus on RDP, there is a good chance that further security holes will be found in the next few months. If this is the case, the fire drills will continue until you solve these two problems. "
A month later, in May 2017, WannaCry and another worm named NotPetya shut down computers around the world, causing hospitals to dismiss patients, train stations not functioning normally, and international shippers suffering major disruptions.
One key to spreading both worms was exploiting a vulnerability in older versions of Windows. The attackers had a head start in exploiting the shortcomings. A month after Microsoft quietly closed the loop, a still-unknown group called Shadow Brokers released highly reliable exploit code developed by the National Security Agency and later stolen. Almost immediately thereafter, the so-called "Eternal Blue" code was reused for real attacks.
The only thing that keeps BlueKeep from being used for similar real attacks right now is the lack of a reliable exploit code – and that's likely to change.
"It does not seem trivial to develop a reliable remote code execution exploit for this vulnerability that will hopefully leave us a few more days to become publicly available," wrote Ullrich of SANS. "However, the exploit development is active and I do not think you have more than a week."
Craig Dods, senior engineer at network equipment supplier Juniper, said Microsoft partners have attempted to develop defensive measures even though Microsoft refused. Provide as many technical details as you like. In a message he wrote:
"I'm sure the passing on of technical details to security partners is associated with a non-zero risk," he wrote of the time customers need for patching. On the other hand, it does not make a great solution to leave security providers in the dark. We must work together to reverse a series of patches, effectively in a race against people who use them for financial or political purposes. "
The concern, according to Dods and other security experts, is exacerbated by the use of vulnerable Windows versions in some of the most mission-critical environments, including hospitals, factories, and other industrial environments where patching by regulatory compliance requirements or operating plans is around
"It will be a big problem in the years to come, especially for ICS-style networks." Dods cited industrial control systems.
He warned that the vulnerability could be in some cases even then could be exploited if affected RDP services are secured with network-level authentication, for which a computer must enter a password before it can connect to another computer, in the event that attackers receive the credentials, as is often the case during days or weeks of network monitoring vo ransomware attacks are susceptible to vulnerable RDP services exposed to the Internet The most effective protection is that susceptible systems receive the patch Microsoft released earlier this month. Disabling RDP can also be effective. If RDP is required, it should only be enabled on computers that really need it and are available only over local area networks or through a robust virtual private network. NCC Group intrusion detection signatures and Cisco snort rules for this vulnerability are available here and here. Ullrich has provided the detection of exploit packages here.
While implementing the remedies can be difficult and costly for many companies, there is a consensus that the consequences could be much worse if no action is taken. One of the first warnings came five days ago when a security researcher went to Twitter to give a blunt assessment of the possible destruction.
I'm getting the CVE-2019-0708 exploit that works with my own program POC (a very dangerous POC). This exploit is very dangerous. For that reason, I will NOT say anything to ANY OR ANY COMPANY. You can not believe me or not, I do not care. Http://t.co/o7wwEazgK0
– Valthek (@ValthekOn) May 18, 2019
"I get the CVE – Use the work with my own programmed POC (a very dangerous POC) for the period 2019-0708 ", wrote the researcher. "This exploit is very dangerous. For that reason, I will NOT say anything to ANY OR ANY COMPANY. You can not believe me or not, I do not care. "