BlueKeep warnings having little effect on Windows patching

DHS issued the latest security advisory for BlueKeep, but it's unclear whether the repeated warnings are being heeded by organizations that have vulnerable systems on the internet.

Yet another Blue Keep security advisory was issued this week -- this time by the Department of Homeland Security -- but the repeated warnings appear to have had little effect on patch adoption for the vulnerability.

DHS' Cybersecurity and Infrastructure Security Agency (CISA) issued an alert Monday for BlueKeep, which affects the remote desktop protocol (RDP) in Microsoft's Windows OSes and could allow threat actors to perform remote code execution on vulnerable systems.

"BlueKeep is considered 'wormable' because malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017," the CISA alert said.

The alert from CISA marks the fourth public warning about BlueKeep that urges users to patch the flaw immediately. Microsoft posted two separate security advisories -- one in late May and one in early June -- after releasing a security update for the vulnerability during May's Patch Tuesday. Earlier this month, the National Security Agency (NSA) took an unprecedented step of issuing its own security alert for BlueKeep; such security advisories are typically issued by DHS rather than the NSA.

None of the previous warnings, however, appear to have moved the needle much for BlueKeep patching. Last month, security expert Robert Graham, owner of Errata Security in Portland, Ore., said he created a customized public scanning tool for BlueKeep and found "roughly 950,000 machines are on the public Internet that are vulnerable to this bug," according to a blog post.

Risk management vendor BitSight, which posted new research last Thursday, incorporated Graham's tool in its own scanning platform and initially found 972,829 vulnerable Windows systems on May 31, one day after the Microsoft warning. Since that time, the company has conducted additional scans on a regular basis, according to Dan Dahlberg, head of security research at BitSight. Dahlberg said more recent scanning data indicated that "some vulnerable systems" have been patch, but he couldn't provide exact figures.

It's tough to say right now whether the warnings have had any real effect on a day-to-day basis for the number of unpatched systems out there.
Dan Dahlberg Head of security research, BitSight

"It's tough to say right now whether the warnings have had any real effect on a day-to-day basis for the number of unpatched systems out there," Dahlberg said.

BitSight's scanning results also showed 1.59 million patched systems and another 1.3 million systems that had enabled network-level authentication (NLA) in Windows to prevent unauthorized access via RDP. Since NLA was enabled in those systems, external scanners can't determine the patch status.

In addition, BitSight found the majority of vulnerable systems were located in China, while the U.S. ranked second on that list.

Security researcher Kevin Beaumont, who coined the "BlueKeep" name for the RDP vulnerability, said via Twitter that the BitSight scanning data on unpatched systems "suggests [it's] still an issue."

Patching challenges

Infosec professionals said it's difficult to determine from remote scanning results why so many systems have yet to be patched. "There's still an abundance of medical equipment that forces organizations to use older and unsupported OS versions (XP, Server 2003)," said Scott Caveza, research engineering manager at Tenable Inc., via email.

Dahlberg said it's likely that many of the still-vulnerable systems are simply mismanaged and fell outside the scope of organizations' systems management and patch management programs.

Caveza said it's possible some organizations are using other mitigation steps instead of applying the BlueKeep patch, which could skew the number of vulnerable systems. However, he still advised organizations to patch.

"While the mitigations may provide an initial layer of protection, inadvertent changes by a systems admin or other personnel could revert those changes," Caveza said. "Therefore, patching is the preferred option and should be done as soon as possible."

Dahlberg stressed that BitSight's data was only for externally exposed systems vulnerable to BlueKeep, and that organizations may still have vulnerable internal systems that could be ravaged by a wormable exploit. "It's also important to patch internal systems because malware could find another way into the environment and then spread internally through BlueKeep like WannaCry did with EternalBlue," he said.

BlueKeep exploits

The RDP vulnerability has caused concern in the infosec community not only because of the nature of the flaw but also because several vendors and independent researchers have demonstrated -- but not released the code for -- proof-of-concept exploits for BlueKeep.

CISA's alert said the agency confirmed a successful exploit of Windows 2000, though details of the exploit were not provided. The alert originally said the agency "achieved remote code execution" on a vulnerable Windows 2000 machine, but later the statement to say it "coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep."

Microsoft issued patches for several unsupported OSes such as Windows XP, but Windows 2000 was not among them.

CISA implored users to apply the available patches for BlueKeep as soon as possible; the agency also recommended other mitigation steps for systems that cannot be patched, including enabling NLA and blocking TCP port 3389 at perimeter firewalls.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing