The Department of Homeland Security (DHS) just issued a new warning on Monday about the “wormable” BlueKeep threat and vulnerability. DHS confirmed attackers can exploit unpatched systems to perform remote code execution.
Similar to the WannaCry malware attacks in 2017, BlueKeep (CVE-2019-0708) is wormable since the malware used to exploit the flaw could propagate to other vulnerable systems.
“After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs,” DHS warned on Monday.
The DHS Cybersecurity and Infrastructure Security Agency (CISA) also confirmed the following operating systems (OS) are impacted:
- Windows 2000
- Windows Vista
- Windows XP
- Windows 7
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2008
- Windows Server 2008 R2.
The BlueKeep vulnerability exists in Remote Desktop Services (formerly known as Terminal Services) and impacts Windows servers running Remote Desktop Protocol (RDP).
In addition, the alert comes after security experts have been warning about a surge in scanning activity looking for unpatched Windows systems running RDP.
In addition to the obvious need for patching your Windows systems, DHS also published four good safeguards for organizations:
- Upgrade end-of-life OS (such as upgrade to Windows 10).
- Disable unnecessary services to limit system exposure to vulnerabilities.
- Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2.
- Block Transmission Control Protocol (TCP) port 3389 on your organization’s perimeter firewall.
In conclusion, this latest alert is just another confirmation on the severity of the BlueKeep threat and need to keep your systems up to date with patches.