Microsoft has announced the BlueKeep vulnerability, a wormable Remote Desktop vulnerability that has a high potential of being exploited in legacy operating systems.
Be warned, this vulnerability can be exploited remotely with no authentication required. Protect yourself from what people are calling the next WannaCry.
1. EVERYTHING YOU NEED TO KNOW
ABOUT BLUEKEEP
Chris Goettl
Director of Product Management, Security
Brian Secrist
Staff Quality Assurance Engineer
2. Agenda
BlueKeep – What we know so far
Details about CVE-2019-0708
Remediation vs Mitigation
Driving toward a 14 day ‘Time to Patch’
Do you need a quick fix for those XP and 2003 systems?
Special Extended Trial Offer
3. BlueKeep News
May 14th, 2019 – Patch Tuesday
Microsoft warns of critical vulnerability that is ‘Wormable’
https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-
updating-remote-desktop-services-cve-2019-0708/
Brian Krebs relates this to the 2017 WannaCry event
https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-
windows-xp-7-and-windows-2003/
Microsoft CVE describing the vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-
2019-0708
8. BlueKeep News
May 15th, 2019 – Social Media and GitHub activities begin
The race begins and social media is
https://mobile.twitter.com/BlueKeepTracker
May 17th, 2019 – PoC available on GitHub, fake PoCs also
PoC available on GitHub, currently not able to inflict damage
https://www.askwoody.com/2019/theres-now-a-freely-available-proof-of-
concept-exploit-for-the-wormable-winxp-win7-bug/
May 20th, 2019 – BSOD achieved
@GossiTheDog on twitter shared
Kaspersky/@oct0xor got Blue Screen with #BlueKeep. The GIF is authentic.
Three different researchers at different companies have reached this stage
so far. Note this in itself does not allow code execution.
15. Defense In Depth
Exploited Zero Day
Public Disclosure
Unknown Vulnerabilities
0-2 Weeks
Rising Risk
Day Zero
Update
Releases
2-4 Weeks
50% of exploits
have occurred
40-60 Days
90% of exploits
have occurred
120 Days
#1 Application Control
#2 Privilege Management
#1 Patch Management to reduce Attack Surface
#2 Application Control to block malware and untrusted payloads
#3 Privilege Management to prevent lateral movement pivot
17. Ivanti Wants to Help Prevent the Next WannaCry
Special Extended Trial Offer
Ivanti Security Controls – Patch, Application Control, Privilege Management
90 days
1000 systems
No strings attached.
Installed and running your first assessment in 30 minutes or less
Fill out this form to get your free 90 day license.
https://go.ivanti.com/Web-FT-ISeC-BlueKeep.html
Most important, Patch CVE-2019-0708!
19. Why are you still here?
The webinar is over.
You should be Patching!
You’re still here?
It’s over.
You should be Patching!
Editor's Notes
Lets return to our vulnerability lifecycle model.
(Click) Patching is the greatest reducer in attack surface, but patching alone will not stop everything.
(Click) The CIS framework and many other security frameworks agree that Application control is one of the most effective compliments to patching. It can block file based malware and untrusted payloads that prevent many attacks from gaining a foothold even if an software vulnerability was exploited.
(Click) Privilege Management is also necessary to reclaim administrative rights which can help to limit lateral movement throughout an environment if a threat actor gains a foothold.
(Click) Application control and Privilege Management also protect systems before an update is available or in the case you have an exception and an update cannot be pushed.
References:
CVE Data taken from CVE Details. This is the number of vulnerabilities reported and confirmed by MITRE. This does filter out contended CVEs, duplicates, and revoked.
Average time to patch in 2016 taken from Verizon Data Breach Investigations Report.
Average Time to Patch in 2018 taken from a report by Tcell that found patching critical CVEs took an average of 34 days https://blog.tcell.io/whats-going-on-appliation-security-report-2018