May Patch Tuesday: RDP Casts A Chill

May Patch Tuesday: RDP Casts A Chill

May Patch Tuesday: RDP Casts A Chill

Bluekeep – RDP Remote Code Execution Vulnerability

We take every patch Tuesday seriously at Options, but when we noticed that Microsoft had unusually released patches for Windows XP and Server 2003, we got a chill!

Since the end of life date for XP and 2003, Microsoft has only released patches for these operating systems on 4 occasions (including this)… the most infamous being WannaCry!

So what is the vulnerability?

According to Microsoft, “A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.”

It has long been standard security practice to prohibit RDP connectivity to servers directly from the internet and this vulnerability is another great reason to deny such access! Un-patched Windows boxes receiving a specially crafted packet to the machines’ remote desktop service would allow an attacker to run malicious code on the machine without authentication. Scary!

From there, a hacker might scan for other vulnerable machines and potentially spread further into the network.

Yes, it’s worm-able! That means that future malware could exploit this vulnerability and spread in a similar way to WannaCry if systems aren’t patched!

What do we do now?

Considering the amount of targets and the ease of which a hacker can exploit the vulnerability to spread across a network, we suggest you take this seriously and get patching!

Although it hasn’t been fully weaponised yet, there will be a lot of hackers in the industry starting to reverse engineer the patch and create an exploit so do not assume this won’t happen soon.

In addition to patching, or if for some reason you can’t patch right away, Microsoft has issued the following guidelines and workarounds:

  •  Enable Network Level Authentication (NLA). This forces a user to authenticate before RDP is exposed to the attacker. Not all affected systems support NLA.
  •  Turn off RDP. If RDP isn’t running, the vulnerability can’t be exploited. As obvious as this seems, some organisations are unable to work without RDP, and some are running it without realising it.
  • Block TCP port 3389. Blocking port 3389 (and any other ports you’ve assigned to RDP) at the perimeter will prevent an attack from entering your network but can’t stop an attack from originating inside your network.

— Sophie McDonald, Options Head of Analytics

Leave a Reply

Your email address will not be published. Required fields are marked *