After Microsoft warned Windows users on two separate occasions to patch a severe security flaw known as BlueKeep, now, the US National Security Agency has echoed the OS maker's warning in the hopes of avoiding another WannaCry-like incident.
This vulnerability affects the Remote Desktop Protocol (RDP) service included in older versions of the Windows OS, such as Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008.
Microsoft released patches for all these operating systems on May 14, during the company's monthly Patch Tuesday event, but the company also warned that the vulnerability is extremely dangerous because it can be weaponized to create a self-spreading exploit.
In its first warning on this matter, Microsoft likened BlueKeep to EternalBlue, the exploit that was at the heart of the self-spreading component used during WannaCry, NotPetya, and Bad Rabbit -- the three ransomware outbreaks of 2017.
Two weeks after Microsoft released fixes, the company issued a second warning after a security researcher found that system administrators were lagging behind with their patching process.
The security researcher found almost one million Windows computers that were vulnerable to BlueKeep attacks, a number he proclaimed to be the lower tier in his prognosis, as other computers couldn't be scanned because they were sitting inside closed networks.
NSA echoes Microsoft's fears
"It is likely only a matter of time before remote exploitation code is widely available for this vulnerability," the NSA said today, echoing the same message from Microsoft's second warning.
"[The] NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.
"[The] NSA urges everyone to invest the time and resources to know your network and run supported operating systems with the latest patches," the agency said.
Besides applying Microsoft's patches, the agency recommended that affected organizations also apply additional security measures against RDP attacks, such as:
- Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
- Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
- Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.
Another RDP vulnerability
The NSA's warning came on the same day when experts from the CERT Coordination Center at the Carnegie Mellon University have revealed details about a new security flaw in the RDP service.
This security flaw -- tracked as CVE-2019-9510 -- can be used to hijack existing RDP sessions to gain access to vulnerable computers
Unlike BlueKeep, this one is less dangerous, as it can't be exploited en-masse, and requires the attacker be in a position to interfere with a user's RDP traffic/connection.
There are no patches for this new RDP flaw. Microsoft's next Patch Tuesday is scheduled for next week, June 11.
More vulnerability reports:
- Almost one million Windows systems vulnerable to BlueKeep (CVE-2019-0708)
- Intense scanning activity detected for BlueKeep RDP flaw
- CI build logs continue to expose company secrets
- Only 5.5% of all vulnerabilities are ever exploited in the wild
- Apple still has problems with stopping synthetic clicks
- Microsoft issues second warning about patching BlueKeep as PoC code goes public
- KRACK attack: Here's how companies are responding CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic