June 17, 2019
CISA Issues Alert for Microsoft BlueKeep Vulnerability
The Cybersecurity and Infrastructure Agency (CISA) has released an alert regarding a recent Microsoft OS vulnerability.
Microsoft first announced the vulnerability to Remote Desktop services on May 14. The vulnerability affects operating systems back to Windows XP and Server 2003 and is significant enough for Microsoft to warrant the release of patches to their Update Catalog for these unsupported operating systems. But in addition to XP and Server 2003, Windows 7 and Server 2008 are also vulnerable. Fortunately, Windows 8 and Windows 10 do not have the vulnerability. Following the initial announcement, Datto RMM released a component to automate the patch to the affected OS. Learn more about how to leverage Datto RMM to migrate from Windows 7 to Windows 10 with our RMM.
The CISA alert encourages users and admins to apply the appropriate mitigation measures as soon as possible:
- Install available patches: Mircosoft patched this vulnerability and released patches for a number of OSs that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003.
- Upgrade end-of-life (EOL) OSs: Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS.
- Disable unnecessary services: Disable services not being used by the OS. This best practice limits exposure to vulnerabilities.
- Enable Network Level Authentication: Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. This will force a session request to be authenticated and effectively mitigates against BlueKeep, an exploit of the vulnerability requires an unauthenticated session.
- Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall: Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network. However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.
This type of development is a great opportunity for MSPs to reaffirm the importance of migrating devices to Windows 10 or Server 2019 if it is still being considered. Being able to exemplify the threat before it disrupts a business can be very compelling to a business owner.
With RDP continuing to be a primary focus of attackers targeting MSPs and their customers, this creates another opportunity for MSPs to revisit open RDP access, patch and close that access off, according to Datto CISO, Ryan Weeks.