posted

0 Comments

Zero-trust and BlueKeep

 

In mid-May 2019[1], Microsoft released a security advisory to patch a specific Windows version to mitigate a serious security vulnerability in those systems. The vulnerability, CVE-2019-0708[2] (AKA “BlueKeep”) impacts multiple old[3] Windows versions (Windows XP, Vista, 7, Server 2003, 2008 and 2008 R2) by exploiting mishandled memory cleanup in Microsoft Remote Desktop Protocol (RDP), resulting in Remote Code Execution[4] (RCE). In the first two weeks after Microsoft released the security update, it was estimated that about 1M[5] public facing machines were vulnerable to CVE-2019-0708.

 

The NSA published[6] recommendations to mitigate this threat, including: deploying the MS Security Patch[7], or updating network and machine configurations to increase the resilience of the network against unknown threats in the future.

 

Deploying critical updates quickly is crucial, but sadly this will not defend against the next zero day vulnerability. Moreover, the potential risk behind RCE vulnerabilities is so high when such vulnerability is being exploited as a propagation technique, which is why BlueKeep is being compared to WannaCry, NotPetya, and Bad Rabbit ransomwares[8].

 

Instead of chasing critical updates or security advisories – which we cannot predict or remediate (at scale) immediately, we need to stop and think about what we can control and/or typically expect from our applications running in our environment. In other words, stop chasing bad and start ensuring good in the datacenter. This approach of identifying the intended state and allowing only specific, pre-defined behaviors/actions to be executed, is the fundamental component of a Zero-Trust Environment. In such environments, the focus of detection tools is not on malicious activities (which leaves the defender one step behind the next zero day attack), but rather verifying that every action in the system is expected and/or can be evaluated as good.

 

To exploit CVE-2019-0708, an attacker needs to have an open network path from the attacking machine to the target machine, and the ability to execute commands on the attacking machine. By implementing a Zero-Trust environment, the security principles of Least Privileged and Micro-segmentation are being enforced. In this situation two things happen, first the Micro-segmentation principle closes down the communication channels an attacker could exploit, by limiting access to the approved locations that can be used to reach the vulnerable machine. Second, the Least Privileged principle locks down the compute layer which only allows approved processes to be launched, and moreover limits communication over specific communication channels to pre-defined approved processes.

 

VMware AppDefense helps organizations transition environments to a Zero-Trust architecture. To learn more about how VMware AppDefense can help you reduce your environment’s attack surface, visit: https://www.vmware.com/products/appdefense.html.

 

[1] https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

[3] https://support.microsoft.com/en-us/lifecycle/search/1163

[4] https://en.wikipedia.org/wiki/Arbitrary_code_execution

[5] https://blog.erratasec.com/2019/05/almost-one-million-vulnerable-to.html#.XPlR_NNKiL4

[6] https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csa-bluekeep_20190604.pdf

[7] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

[8] https://en.wikipedia.org/wiki/Ransomware