The Australian Cyber Security Centre is playing a little catch up with Microsoft and its own counterpart in the US in warning Australian organizations to patch CVE-2019-0708, the Windows Remote Desktop Services (RDS) bug know as Bluekeep.
On Tuesday, as CSO Online reported, the US National Security Agency strongly urged Windows admins to patch the Bluekeep bug, which Microsoft warned on May 14 was a wormable bug, meaning it could spread automatically from PC to PC without users clicking on anything.
Microsoft is concerned that the RDS bug could lead to an attack on the scale of WannaCry, the massive ransomware outbreak that happened in May 2017, crippling many systems at the UK’s National Health Service (NHS).
The RDS bug allows an attacker without valid credentials to connect to a vulnerable system over Remote Desktop Protocol (RDP) and send specially crafted RDP requests. An attacker who exploits the flaw could then execute code of their choice and install malware.
“This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system,” Microsoft explained in its initial advisory.
What makes this bug interesting is that it was reported to Microsoft by the UK’s National Cyber Security Centre (NCSC), an arm of the UK’s spy agency, GCHQ, that helps UK organizations improve cybersecurity.
WannaCry was made possible by the leak of an NSA exploit dubbed EternalBlue that exploited old Windows flaws in the SMBv1 protocol that the NSA didn’t disclose to Microsoft for potentially years as it used it for its own network exploitation activities.
As with the flaws EternalBlue exploited, Microsoft has decided to offer patches for unsupported Windows XP due to the potential impact it could have. At the end of May it even delivered a second reminder for Windows admins to patch the flaw.
“As an indication of just how significant the impacts of BlueKeep can be to their customers, Microsoft took the unusual step of publishing advice to warn of its ability to propagate or ‘worm’ through vulnerable computer systems, with no user interaction at all,” the ACSC said in a press release on Wednesday in the wake of the NSA’s advisory.
The Australia cybersecurity agency says it had already told government and critical infrastructure partners about the threat of Bluekeep and provided “detailed mitigation advice for businesses who rely on legacy Windows operating systems.”
The purpose of the public advisory is to notify small businesses who might also be exposed.
“With potentially millions of networks vulnerable, we’re now notifying smaller entities and owners and operators of businesses around Australia, of the need to patch your systems as soon as possible,” said ACSC.
Microsoft says it has not seen the bug being actively exploited in the wild but expects malicious actors to do so imminently. However, there is now proof of concept exploit code for the bug available that demonstrates that full system take over is possible using the flaw.
The bug doesn’t affect Windows 10 systems, but there are still plenty of systems running Windows 7 and below and their corresponding Windows Server versions that are vulnerable. One analysis suggested a million or more Windows machines were vulnerable to Blluekeep and Microsoft believes there are more vulnerable machines behind corporate firewalls.
The NSA urged Windows admins to instal Microsoft patches but also firewall blocks on TCP Port 3389, which is used by RDP. It also recommends enabling Network Level Authentication (NLA) and to disable remote Desktop Services if they’re not needed.
ACSC urged Windows users to deny access to Remote Desktop Protocols (RDP) directly from the internet, including blocking all access to RDP, using “a VPN with multifactor authentication, if internet based access to RDP is required”.
It also recommended applying network segmentation, denying PC access to RDP, limiting RDP to servers, and adding Network Level Authentication.
That GCHQ's NCSC reported it leads to a few potential partially explains why Bluekeep is on the radar now. The other reason is it is a potent bug that a spy agency would love to have its hands on exclusively.
Nicholas Weaver of the International Computer Science Institute speculated three possible reasons NCSC reported the bug to Microsoft.
"It could be that the organization simply discovered this vulnerability and disclosed it. It could be that the GCHQ discovered the vulnerability and used it and then an opponent captured it for the opponent’s own use. Or the GCHQ might have discovered someone else using it. All three possibilities speak well of the GCHQ’s internal processes, but I hope the organization will formally disclose which one is true: This information would help shape policy discussions around vulnerability disclosure."
This reporter asked NCSC when the Bluekeep flaw was discovered and whether it was ever exploited by GCHQ.
A spokesperson for NCSC did not answer this reporter's questions but offered this answer instead:
“The NCSC works with vendors to help mitigate critical security issues and we have a history of disclosing vulnerabilities to major software vendors. The disclosure of CVE-2019-0708 to Microsoft is an example of that.
“The NCSC recommends that organisations and individuals apply Microsoft’s May security patches as soon as possible.”