HomeNewsArticle Display

NSA, Microsoft warn of Windows vulnerability

PETERSON AIR FORCE BASE, Colo. – New Windows 10 laptops sit idle while being upgraded with Windows 10 at Peterson Air Force Base, Colo., March 22, 2017. The Windows 10 roll out is part of a Department of Defense wide mandate to update all computers across all services. The 21st CS has been working extra shifts to ensure that mandate is met well ahead of schedule on April 1.  (U.S. Air Force photo by Steve Kotecki)

PETERSON AIR FORCE BASE, Colo. – New laptops sit idle while being upgraded with Windows 10 at Peterson Air Force Base, Colo., March 22, 2017. National Security Agency and Microsoft officials recently issued a warning about a potential vulnerability discovered in older versions of the Windows operating system and urged users to update their systems. (U.S. Air Force photo by Steve Kotecki)

FORT GEORGE G. MEADE, Md. --

The National Security Agency is urging Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of growing threats. Recent warnings by Microsoft stressed the importance of installing patches to address a protocol vulnerability in older versions of Windows. Microsoft has warned that this flaw is potentially “wormable,” meaning it could spread without user interaction across the internet. We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw.

CVE-2019-0708, dubbed “BlueKeep,” is a vulnerability in the Remote Desktop (RDP) protocol. It is present in Windows 7, Windows XP, Server 2003 and 2008, and although Microsoft has issued a patch, potentially millions of machines are still vulnerable.

This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation code is widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.

NSA urges everyone to invest the time and resources to know your network and run supported operating systems with the latest patches. Please refer to our advisory for additional information. This is critical not just for NSA’s protection of National Security Systems but for all networks. In order to increase resilience against this threat while large networks patch and upgrade, there are additional measures that can be taken:

  • Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
  • Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
  • Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.