On August 13, 2019 Microsoft utilized “Patch Tuesday” to release 36 new CVEs. Of those vulnerabilities, four stand out for their striking similarity to the BlueKeep vulnerability that sent shock waves through the industry only three months earlier.
As a group, some have playfully dubbed these four new Remote Desktop Protocol (RDP) vulnerabilities "DejaBlue". Individually, their CVEs are:
CVE-2019-1181 and CVE-2019-1182 affect devices running Windows 7, Windows 8.1, or Windows 10, as well as any devices running Windows Server 2008, Windows Server 2012, Windows Server 2016, or Windows Server 2019.
CVE-2019-1222 and CVE-2019-1226 affect devices running Windows 10 or Windows Server 2019.
All four of these vulnerabilities were given critical severity scores of 9.8.
Globally, these vulnerabilities are believed to affect somewhere around one million machines. In hospitals, a wide array of technologies are exposed, ranging from workstations and servers to medical devices and IoT devices. Per CyberMDX field statistics, as many as 25% of a typical hospital's connected machines may be affected.
RDP is a network protocol used for remotely connecting to a Windows station. From Windows XP and on, all Windows versions support this protocol as both client and server. Although RDP is not enabled by default, it is frequently used within enterprise organizations. The protocol uses TCP port 3389 and UDP port 3389.
The DejaBlue vulnerabilities are predicated on flaws in the early stages of an RDP connection. Since the flaws reside in processes preceding the authentication phase, no prior knowledge of passwords or keys is required to wage an attack that can ultimately lead to illicit remote code execution.
It should also be noted that CVE-2019-1181 and CVE-2019-1182 attacks can be "wormable" — spreading within networks, across internal networks, and even moving to and from external networks. This not only expands the attack surface but also raises the stakes of an attack considerably.
There are a number of immediate actions that can and should be taken to mitigate this vulnerability. These include:
- Applying the latest patches to your Windows stations.
- Disabling Remote Desktop Services where they are not required.
- Enabling Network Level Authentication (NLA) on systems with RDP. NLA requires the connecting user (or potential attacker) to authenticate themselves before a session is established with the server.
- Utilizing RDP gateways (on patched workstations) to hold and authenticate requests for RDP sessions of external origins before passing them through to your internal network.
- If you're not using RDP at all, configure your perimeter firewall to block inbound TCP port 3389 traffic.
Cross Your "T"s & Dot your "I"s
It's important to assume a preventative security posture rather than a merely reactive one. Generally, you'll want to apply best practices to reduce your attack surface as much as possible while encouraging awareness and vigilance at every level.
One of the most important things to stay on top of is also one of the most basic, namely patch management. Pursued manually, the process will not only tedious but likely error-prone too. Instead, consider implementing an automatable 3-step process along these lines:
- Produce a live digital inventory itemizing all your networked devices.
- Each line item should be accompanied by hardware, firmware, OS, software, and network configuration details.
- Integrate the National Vulnerability Database (NVD) feed into your management dashboard
- Continuously cross-reference that data flow against your inventory.
- Whenever a match is found, take stock of the patching options available to you and proceed accordingly.
Of course, if you don't want to bother setting up, troubleshooting, and maintaining such a framework, there are proven solutions that deliver the same functionality right out-of-the-box.
Either way, the key is to get out ahead of these threats as quickly as possible while simultaneously employing a broad-spectrum preventative strategy for cyber defense. If you have any questions or require any assistance in defending your healthcare organization against these or other vulnerabilities,