US CERT BlueKeep warning: we got remote code execution

The Cybersecurity and Infrastructure Security Agency (CISA), formerly US CERT, has released an alert about the ‘BlueKeep’ Remote Desktop Protocol (RDP) flaw. The alert follows warnings from Microsoft and the NSA to patch the bug that was discovered by the UK’s National Cyber Security Centre. 

CISA is the latest organization to raise an alarm about BlueKeep, which Microsoft believes could become a threat on the scale of the WannaCry outbreak in mid-2017, largely because BlueKeep is similarly ‘wormable’, meaning it can spread automatically from one vulnerable machine to another. WannaCry’s worm capability came from a leaked NSA exploit known as EternalBlue.  

Since Microsoft’s May patch for CVE-2019-0708, aka BlueKeep, and its warning to patch urgently, the NSA, and the Australian Cyber Security Centre have also urged organizations to patch the bug. NCSC, which sits under UK spy agency GCHQ, has also issued warnings to patch this bug. 

The NSA’s warning followed research by security expert Robert Graham who estimated more than a million Windows PCs were still vulnerable to BlueKeep two weeks after Microsoft released the patch. 

Security firm Bitsight ran a scan of its own for BlueKeep a month after Microsoft’s patch and found that China had the highest number of vulnerable machines, totaling over 300,000 machines. Less than half of vulnerable machines in China had been patched. In the US, the patching rate exceeded 75 percent but that still left around 100,000 machines vulnerable to a BlueKeep exploit. Patching rates were on par or better than the US in much of Europe, though these accounted for far fewer systems.