BlueKeep (security Vulnerability)
   HOME

TheInfoList



Click Here for Items Related To - BlueKeep (security Vulnerability)
OR:
BlueKeep (security Vulnerability) on:   [Wikipedia]   [Google]   [Amazon]

BlueKeep () is a
security vulnerability Vulnerabilities are flaws or weaknesses in a system's design, implementation, or management that can be exploited by a malicious actor to compromise its security. Despite a system administrator's best efforts to achieve complete correctness, vir ...
that was discovered in
Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...
's
Remote Desktop Protocol Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft Corporation which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this pu ...
(RDP) implementation, which allows for the possibility of remote code execution. First reported in May 2019, it is present in all unpatched Windows NT-based versions of Microsoft Windows from
Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft, targeting the server and business markets. It is the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RT ...
through
Windows Server 2008 R2 Windows Server 2008 R2, codenamed "Windows Server 7" or "Windows Server 2008 Release 2", is the eighth major version of the Windows NT operating system produced by Microsoft to be released under the Windows Server brand name. It was release ...
and
Windows 7 Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was Software release life cycle#Release to manufacturing (RTM), released to manufacturing on July 22, 2009, and became generally available on October 22, ...
. Microsoft issued a security patch (including an out-of-band update for several versions of Windows that have reached their end-of-life, such as
Windows XP Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct successor to Windows 2000 for high-end and business users a ...
) on 14 May 2019. On 13 August 2019, related BlueKeep security vulnerabilities, collectively named DejaBlue, were reported to affect ''newer'' Windows versions, including
Windows 7 Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was Software release life cycle#Release to manufacturing (RTM), released to manufacturing on July 22, 2009, and became generally available on October 22, ...
and all recent versions up to
Windows 10 Windows 10 is a major release of Microsoft's Windows NT operating system. The successor to Windows 8.1, it was Software release cycle#Release to manufacturing (RTM), released to manufacturing on July 15, 2015, and later to retail on July 2 ...
of the operating system, as well as the older Windows versions. On 6 September 2019, a Metasploit exploit of the wormable BlueKeep security vulnerability was announced to have been released into the public realm.


History

The BlueKeep security vulnerability was first noted by the UK National Cyber Security Centre and, on 14 May 2019, reported by
Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...
. The vulnerability was named BlueKeep by computer security expert Kevin Beaumont o
Twitter
BlueKeep is officially tracked as: and is a " wormable" remote code execution vulnerability. Both the U.S.
National Security Agency The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the director of national intelligence (DNI). The NSA is responsible for global monitoring, collection, and proces ...
(which issued its own advisory on the vulnerability on 4 June 2019) and Microsoft stated that this vulnerability could potentially be used by self-propagating worms, with Microsoft (based on a security researcher's estimation that nearly 1 million devices were vulnerable) saying that such a theoretical attack could be of a similar scale to EternalBlue-based attacks such as
NotPetya Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents ...
and WannaCry. On the same day as the NSA advisory, researchers of the CERT Coordination Center disclosed a separate
RDP RDP may refer to: Computing * Ramer–Douglas–Peucker algorithm, an algorithm for polygonal simplification * Recombination detection program, for analysing genetic recombination * Recursive descent parser, a type of top-down parser * Remote Desk ...
-related security issue in the Windows 10 May 2019 Update and
Windows Server 2019 Windows Server 2019 is the twelfth major version of the Windows NT operating system produced by Microsoft to be released under the Windows Server brand name. It is the second version of the server operating system based on the Windows 10 plat ...
, citing a new behaviour where RDP Network Level Authentication (NLA) login credentials are cached on the client system, and the user can re-gain access to their RDP connection automatically if their network connection is interrupted. Microsoft dismissed this vulnerability as being intended behaviour, and it can be disabled via
Group Policy Group Policy is a feature of the Microsoft Windows NT family of operating systems (including Windows 8.1, Windows 10, Windows 11) that controls the working environment of user accounts and computer accounts. Group Policy provides centralized mana ...
. As of 1 June 2019, no active
malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...
of the vulnerability seemed to be publicly known; however, undisclosed
proof of concept A proof of concept (POC or PoC), also known as proof of principle, is an inchoate realization of a certain idea or method in order to demonstrate its feasibility or viability. A proof of concept is usually small and may or may not be complete ...
(PoC) codes exploiting the vulnerability may have been available. On 1 July 2019,
Sophos Sophos Limited is a British security software and hardware company. It develops and markets managed security services and cybersecurity software and hardware, such as managed detection and response, incident response and endpoint security s ...
, a British security company, reported on a working example of such a PoC, in order to emphasize the urgent need to patch the vulnerability. On 22 July 2019, more details of an exploit were purportedly revealed by a conference speaker from a Chinese security firm. On 25 July 2019, computer experts reported that a commercial version of the exploit may have been available. On 31 July 2019, computer experts reported a significant increase in malicious RDP activity and warned, based on histories of exploits from similar vulnerabilities, that an active exploit of the BlueKeep vulnerability in the wild might be imminent. On 13 August 2019, related BlueKeep security vulnerabilities, collectively named DejaBlue, were reported to affect newer Windows versions, including
Windows 7 Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was Software release life cycle#Release to manufacturing (RTM), released to manufacturing on July 22, 2009, and became generally available on October 22, ...
and all recent versions of the operating system up to
Windows 10 Windows 10 is a major release of Microsoft's Windows NT operating system. The successor to Windows 8.1, it was Software release cycle#Release to manufacturing (RTM), released to manufacturing on July 15, 2015, and later to retail on July 2 ...
, as well as the older Windows versions. On 6 September 2019, an exploit of the wormable BlueKeep security vulnerability was announced to have been released into the public realm. The initial version of this exploit was, however, unreliable, being known to cause "
blue screen of death The blue screen of death (BSoD) or blue screen error, blue screen, fatal error, bugcheck, and officially known as a stop erroris a fatal system error, critical error screen displayed by the Microsoft Windows operating systems to indicate a cr ...
" (BSOD) errors. A fix was later announced, removing the cause of the BSOD error. On 2 November 2019, the first BlueKeep hacking campaign on a mass scale was reported, and included an unsuccessful cryptojacking mission. On 8 November 2019, Microsoft confirmed a BlueKeep attack, and urged users to immediately patch their Windows systems.


Mechanism

The RDP protocol uses "virtual channels", configured before authentication, as a data path between the client and server for providing extensions. RDP 5.1 defines 32 "static" virtual channels, and "dynamic" virtual channels are contained within one of these static channels. If a server binds the virtual channel "MS_T120" (a channel for which there is no legitimate reason for a client to connect to) with a static channel other than 31,
heap corruption Memory corruption occurs in a computer program when the contents of a memory location are modified due to programmatic behavior that exceeds the intention of the original programmer or program/language constructs; this is termed as violation of m ...
occurs that allows for
arbitrary code execution In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in softwa ...
at the system level.
Windows XP Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct successor to Windows 2000 for high-end and business users a ...
,
Windows Vista Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, released five years earlier, which was then the longest time span between successive releases of Microsoft W ...
,
Windows 7 Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was Software release life cycle#Release to manufacturing (RTM), released to manufacturing on July 22, 2009, and became generally available on October 22, ...
,
Windows Server 2003 Windows Server 2003, codenamed "Whistler Server", is the sixth major version of the Windows NT operating system produced by Microsoft and the first server version to be released under the Windows Server brand name. It is part of the Windows NT ...
,
Windows Server 2008 Windows Server 2008, codenamed "Longhorn Server" (alternatives: "Windows Vista Server" or "Windows Server Vista"), is the seventh major version of the Windows NT operating system produced by Microsoft to be released under the Windows Server b ...
, and
Windows Server 2008 R2 Windows Server 2008 R2, codenamed "Windows Server 7" or "Windows Server 2008 Release 2", is the eighth major version of the Windows NT operating system produced by Microsoft to be released under the Windows Server brand name. It was release ...
were named by Microsoft as being vulnerable to this attack. Versions newer than 7, such as
Windows 8 Windows 8 is a major release of the Windows NT operating system developed by Microsoft. It was Software release life cycle#Release to manufacturing (RTM), released to manufacturing on August 1, 2012, made available for download via Microsoft ...
,
Windows 10 Windows 10 is a major release of Microsoft's Windows NT operating system. The successor to Windows 8.1, it was Software release cycle#Release to manufacturing (RTM), released to manufacturing on July 15, 2015, and later to retail on July 2 ...
and
Windows 11 Windows 11 is a version of Microsoft's Windows NT operating system, released on October 5, 2021, as the successor to Windows 10 (2015). It is available as a free upgrade for devices running Windows 10 that meet the #System requirements, Windo ...
, were not affected. The
Cybersecurity and Infrastructure Security Agency The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cyber ...
stated that it had also successfully achieved code execution via the vulnerability on
Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft, targeting the server and business markets. It is the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RT ...
.


Mitigation

Microsoft released patches for the vulnerability on 14 May 2019, for
Windows XP Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct successor to Windows 2000 for high-end and business users a ...
,
Windows Vista Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, released five years earlier, which was then the longest time span between successive releases of Microsoft W ...
,
Windows 7 Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was Software release life cycle#Release to manufacturing (RTM), released to manufacturing on July 22, 2009, and became generally available on October 22, ...
,
Windows Server 2003 Windows Server 2003, codenamed "Whistler Server", is the sixth major version of the Windows NT operating system produced by Microsoft and the first server version to be released under the Windows Server brand name. It is part of the Windows NT ...
,
Windows Server 2008 Windows Server 2008, codenamed "Longhorn Server" (alternatives: "Windows Vista Server" or "Windows Server Vista"), is the seventh major version of the Windows NT operating system produced by Microsoft to be released under the Windows Server b ...
, and
Windows Server 2008 R2 Windows Server 2008 R2, codenamed "Windows Server 7" or "Windows Server 2008 Release 2", is the eighth major version of the Windows NT operating system produced by Microsoft to be released under the Windows Server brand name. It was release ...
. This included versions of Windows that have reached their end-of-life (such as Vista, XP, and Server 2003) and thus are no longer eligible for security updates. The patch forces the aforementioned "MS_T120" channel to always be bound to 31 even if requested otherwise by an RDP server. The NSA recommended additional measures, such as disabling
Remote Desktop Services Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine ...
and its associated
port A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as Hamburg, Manch ...
( TCP 3389) if it is not being used, and requiring Network Level Authentication (NLA) for RDP. According to computer security company
Sophos Sophos Limited is a British security software and hardware company. It develops and markets managed security services and cybersecurity software and hardware, such as managed detection and response, incident response and endpoint security s ...
, two-factor authentication may make the RDP issue less of a vulnerability. However, the best protection is to take RDP off the Internet: switch RDP off if not needed and, if needed, make RDP accessible only via a
VPN Virtual private network (VPN) is a network architecture for virtually extending a private network (i.e. any computer network which is not the public Internet) across one or multiple other networks which are either untrusted (as they are not c ...
.


See also

* Bad Rabbit ransomware attack - 2017 *
WannaCry ransomware attack The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the form ...
* Blaster (computer worm) * Dyn cyberattack – 2016 * Sasser (computer worm) * EternalBlue


References


External links


BlueKeep: Windows Update patches HEREHERE
an
HERE
(
Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...
).
Proof-of-Concept of the flaw by Sophos
* {{Portal bar, Business and economics Computer security exploits 2019 in computing Windows administration