BlueKeep: Perimeter Assessments Remain As Important As Ever

The basic security principle of keeping the attack surface as small as possible is still as important as ever, however you define your perimeter.  Keeping an eye on the attack surface of the network perimeter, is not an obsolete activity, it is as important today as it was twenty years ago.

Hopefully lessons have been learned from the WannaCry outbreak two years ago.  Despite vendor patches being available two months before the EternalBlue vulnerability was weaponised, it caused worldwide disruption from its ransomware payload on an unprecedented scale.  Exposure of SMB services on the Internet was concluded by several sources as being the initial infection vector used by the attackers.

On 14 May 2019, Microsoft released a fix for a critical Remote Code Execution vulnerability (CVE-2019-0708) in Remote Desktop Services (RDS), known as “BlueKeep”, this underlined the importance of maintaining a minimal attack surface. 

Despite RDS being made more robust over the years, it was only intended for use in private networks and is unlikely to offer the suite of controls and integration expected in a purpose-built remote access Internet gateway.  Eliminating RDS connectivity from the Internet can be problematic for some organisations, but there are robust architecture designs using RD Gateway which can be used to minimise the risk:

The immediate tactical advice in the case of BlueKeep is to patch all affected systems and block access to RDS where it is exposed.   We strongly recommend the patch is applied company-wide, as soon as possible.  Full exploit code is likely to appear soon, and as the vulnerability is wormable, widespread compromises could occur rapidly.

On a general pre-emptive note, we recommend your network perimeter is security hardened.  Assess the attack surface of the perimeter frequently and thoroughly to identify services which may have inherent weaknesses, a poor security reputation or were never intended to be exposed to the Internet.  Obsolete or redundant services should also be removed from the Internet.  Relying on reports from vulnerability scanners to assess security proactively may not be enough; a typical scanner may not highlight an attack surface concern at all unless it presents a known and verified vulnerability.