This Windows Flaw Is So Bad, Even the NSA Is Begging You to Update

[steven36]

It’s not every day that the National Security Agency urges you to update your computer.

 

 

Three weeks ago, a critical Windows security vulnerability known as BlueKeep was revealed and fixed. In that short time, Microsoft has repeatedly begged users of older Windows versions to make sure their machines are up to date. The company even released fixes for Windows XP, Server 2003, and Vista—a slate of unsupported operating systems that usually don’t get much attention.

 

Now, it’s an American intelligence agency echoing Microsoft.

 

“Recent warnings by Microsoft stressed the importance of installing patches to address a protocol vulnerability in older versions of Windows,” the NSA advisory read. “Microsoft has warned that this flaw is potentially ‘wormable,’ meaning it could spread without user interaction across the internet. We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw.”

 

Here’s NSA’s Rob Joyce on Twitter:

 

 

In addition to its more famous offensive mission of global electronic surveillance, the NSA is also tasked with defending U.S. networks. The NSA’s Cybersecurity Requirement Center authored the advisory, which listed out impacted systems and directions for mitigation.

 

Microsoft’s warning compares BlueKeep to WannaCry, the notorious 2017 ransomware worm allegedly developed by North Korea that infected hundreds of thousands of computers and cause millions of dollars in damage.

 

Although BlueKeep affects mostly older Windows versions, there are millions of old, unsupported Windows machines still out there—and, believe it or not, still being used in important places. It’s not unheard of for an American energy company, for instance, to have a Windows XP machine somewhere on the network. That’s when using an old machine becomes a vulnerability to critical infrastructure. The Defense Department is also famous for its use of ancient Windows machines.

 

“Although Microsoft has issued a patch, potentially millions of machines are still vulnerable,” the NSA wrote.

 

“This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks,” it added. “It is likely only a matter of time before remote exploitation tools are widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”

 

Source

[steven36]

A security researcher today revealed details of a newly unpatched vulnerability in Microsoft Windows Remote Desktop Protocol (RDP).

 

 

Tracked as CVE-2019-9510, the reported vulnerability could allow client-side attackers to bypass the lock screen on remote desktop (RD) sessions.

Discovered by Joe Tammariello of Carnegie Mellon University Software Engineering Institute (SEI), the flaw exists when Microsoft Windows Remote Desktop feature requires clients to authenticate with Network Level Authentication (NLA), a feature that Microsoft recently recommended as a workaround against the critical BlueKeep RDP vulnerability.

According to Will Dormann, a vulnerability analyst at the CERT/CC, if a network anomaly triggers a temporary RDP disconnect while a client was already connected to the server but the login screen is locked, then "upon reconnection the RDP session will be restored to an unlocked state, regardless of how the remote system was left."

"Starting with Windows 10 1803 and Windows Server 2019, Windows RDP handling of NLA-based RDP sessions has changed in a way that can cause unexpected behavior with respect to session locking," Dormann explains in an advisory published today.

"Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, are also bypassed using this mechanism. Any login banners enforced by an organization will also be bypassed."
 

Proof of Concept Video Demonstration

Here's a video that Leandro Velasco from KPN Security Research Team shared with The Hacker News demonstrating how easy it to exploit the flaw.

 

 

 

 

The CERT describes the attack scenario as the following:

• A targeted user connects to a Windows 10 or Server 2019 system via RDS.
• The user locks the remote session and leaves the client device unattended.
• At this point, an attacker with access to the client device can interrupt its network connectivity and gain access to the remote system without needing any credentials.

This means that exploiting this vulnerability is very trivial, as an attacker just needs to interrupt the network connectivity of a targeted system.

 

 

 

However, since the attacker requires physical access to such a targeted system (i.e., an active session with locked screen), the scenario itself limits the attack surface to a greater extent.

Tammariello notified Microsoft of the vulnerability on April 19, but the company responded by saying the "behavior does not meet the Microsoft Security Servicing Criteria for Windows," which means the tech giant has no plans to patch the issue anytime soon.

However, users can protect themselves against potential exploitation of this vulnerability by locking the local system instead of the remote system, and by disconnecting the remote desktop sessions instead of just locking them.

 

Source

 

[steven36]

BlueKeep ‘Mega-Worm’ Looms as Fresh PoC Shows Full System Takeover

 

 

A working exploit for the critical remote code-execution flaw shows how an unauthenticated attacker can achieve full run of a victim machine in about 22 seconds.

 

A researcher has created a proof-of-concept Metasploit module for the critical BlueKeep vulnerability, which successfully demonstrates how to achieve complete takeover of a target Windows machine.

 

Reverse engineer Zǝɹosum0x0 tweeted about his success on Tuesday, noting that he plans to keep the module private given the danger that a working exploit could pose to the vast swathe of unpatched systems out there. He also released a video showing a remote code-execution (RCE) exploit working on a Windows 2008 desktop, paired with a Mimikatz tool to harvest login credentials. In about 22 seconds, he achieved full takeover.

 

“Still too dangerous to release, lame sorry,” he tweeted. “Maybe after first mega-worm?”

 

An earlier proof-of-concept (PoC) from McAfee showed a successful RCE exploit, but didn’t include the credential-harvesting – so a mitigating factor in that exploit would be the need for an attacker to bypass network-level authentication protections.

 

The BlueKeep vulnerability (CVE-2019-0708) RCE flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it’s wormable – and so it can self-propagate from machine to machine, setting up the scene for a WannaCry-level, fast-moving infection wave.

 

The concern is big enough that Microsoft even took the unusual step of deploying patches to Windows XP and Windows 2003, which are end-of-life and no longer supported by the computing giant. It has also issued multiple follow-on advisories urging administrators to patch.

 

The new exploit works on most vulnerable machines, with the exception of Windows Server 2003, according to Zǝɹosum0x0. The researcher said that it took time to develop the exploit, but clearly it can be achieved.

 

The National Security Agency concurs with the engineer on the possibility of widespread, in-the-wild exploitation.

 

“It is likely only a matter of time before remote exploitation code is widely available for this vulnerability,” the NSA said in an advisory on Tuesday. “NSA is concerned that malicious cyber-actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”

 

The danger isn’t just the potential for a worm-wave; denial-of-service could be a problem too. Researchers attempting to create PoC exploits found that their efforts largely caused systems to crash before they could achieve RCE.

 

To boot, the attack surface is unfortunately large. Although Microsoft issued a patch for the recently disclosed BlueKeep as part of its May Patch Tuesday Security Bulletin (and there’s a micropatch out there too), researchers said last week that at least 1 million devices linked to the public internet are still vulnerable to the bug. And, the NSA in its advisory warned that the number could actually be in the multimillions.

 

Some are finding patching to be an onerous process given that many older machines are in production environments where the required reboot – taking mission-critical systems offline — just isn’t feasible.

 

 

Nonetheless, with the demonstration that RCE can be achieved, hopefully administrators will find a way to update their environments.

 

“It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,” Microsoft warned in an advisory. “This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.”

 

Source

 

[Karlston]

Similar topics merged.

[stylemessiah]

Another "lab" security flaw turned into clickbait and made to sound more serious than it is

 

Next...

[Karlston]

News Analysis

NSA, Microsoft implore enterprises to patch Windows' 'BlueKeep' flaw before it's too late

The warnings refer to vulnerabilities in Windows' Remote Desktop Services that could be exploited by attackers; patches have been available since May 14.

Thinkstock/Microsoft

The U.S. National Security Agency (NSA) on Tuesday called on IT administrators to apply security updates issued by Microsoft three weeks ago, adding to a chorus of voices urging haste.

 

"The National Security Agency is urging Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of growing threats," the NSA said in a June 4 advisory.

 

The agency's advice followed by several days that of Microsoft itself. On Thursday, May 30, a company official reminded users of the updates - which the company released May 14 - and implied that time is short. "We strongly advise that all affected systems should be updated as soon as possible," Simon Pope, the director of incident response at the Microsoft Security Response Center (MSRC), wrote in a blog post.

 

Microsoft's plea, at least, was unusual. Once the developer has released a fix it has rarely circled back to remind customers to install a patch, instead assuming that they have done what they were supposed to.

 

The NSA and Microsoft warnings were about flaws in Windows' Remote Desktop Services that could be exploited by attackers in ways that made the bugs especially dangerous. The vulnerabilities have been stickered with the "BlueKeep" label. "We warned that the vulnerability is 'wormable,' and that future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017," Pope said.

 

The vulnerabilities were so serious that Microsoft made the unprecedented decision to deliver patches not only to still-supported versions of Windows, including Windows 7, but to the outdated Windows XP, which was retired more than five years ago.

 

WannaCry, a ransomware attack that surged across the globe in May 2017, was cited several times by Pope to drive home his point. "There has been no sign of a worm yet ((but)) this does not mean that we're out of the woods," he said. "If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner.

 

"It is possible that we won't see this vulnerability incorporated into malware," concluded Pope. "But that's not the way to bet."

 

On that score, in fact, Pope intimated that Microsoft knows more than it's saying. "Microsoft is confident that an exploit exists for this vulnerability," he said in last week's blog post. Then on Twitter this week after the NSA issued its bulletin, Pope tweeted, "I cannot urge you enough to patch your systems as soon as possible."

 

The NSA was almost as sure that doom was on the horizon. "It is likely only a matter of time before remote exploitation code is widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.

 

It's unclear what, exactly, drove Microsoft's Pope, then the NSA, to issue their patch-now alerts. It may have been the results of an Internet-wide scan by Robert Graham of Errata Security. According to Graham, as of a week ago, almost a million public-facing Windows systems were vulnerable to attack. "This will likely lead to an event as damaging as WannaCry and notPetya from 2017," Graham wrote in a post. "Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines."

 

Pope cited Graham's survey when he told Windows users to patch pronto, adding that, "Many more within corporate networks may also be vulnerable. ((And)) it only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks."

 

Microsoft has provided links to patches for Windows XP, Windows Vista Windows Server 2003 here; fixes for Windows 7, Windows Server 2008 and Windows Server 2008 R2 can be found here.

 

Source: NSA, Microsoft implore enterprises to patch Windows' 'BlueKeep' flaw before it's too late (Computerworld - Gregg Keizer)