In May 2019, BlueKeep emerged as a new remote desktop vulnerability with mitigations. Recent security patch news coverage has been focused on a flaw in Windows 10 and Windows Server vulnerabilities that could be used to spoof a certificate for secure Web sessions or signing code.
Among the fixes for the CryptoAPI vulnerability, there were 48 other vulnerabilities that were patched in the latest update package. Five were related to Microsoft's Remote Desktop Protocol (RDP)-based service, which is used by thousands of organizations for remote access to computers within their networks. Two of them are flaws in the Windows Remote Desktop Gateway allowing attackers to gain access to networks without a login requirement.
The bugs identified as CVE-2020-0609 and CVE-2020-0610 are rated as more dangerous than the CryptoAPI vulnerability because of their ability to be used remotely to execute code, install programs, modify or delete data, and create full-access user accounts on targeted RDP servers before the gateway attempts to authenticate them. Fortunately, no exploit code or proof of concept are reported to be seen today. There is no workaround for the vulnerability without applying a software patching update. Both cyberattacks rely on specially crafted requests to the Remote Desktop Gateway using the RDP protocol.
8 Ways to Protect Against Remote Desktop Vulnerabilities
- Update your systems through a safe patching regimen and solution and ensure patches were applied successfully.
- Prevent direct network access to systems that require RDP access by installing or updating access control lists on Firewalls established on network perimeters and network segments.
- Ensure remote access, whether RDP or any other network protocol occurs over a secure tunneling technology such as IPsec Virtual Private Networks (VPNs).
- Leverage automated systems management and other compensating controls to detect changes and policy violations such as the creation of new user accounts or installation of new programs.
- Practice technology diversification and multiple layers of technology. This represents a higher chance of stopping cyberattacks from easily penetrating your defenses by complicating the exploit chain and raising the difficulty of any lateral movement by attackers.
- Monitor networks and hosts for anomalous behavior and new connections.
- Disable remote access functionality altogether where it is not necessary.
- Ensure incident response plans adequately manage any threats that may arise from these vulnerabilities and any others in the future.
If any of these approached seem daunting and difficult to achieve in-house, find a cybersecurity partner with extensive OT experience in the deployment and tuning of best-in-class security solutions while integrating all aspects into your cybersecurity program to make it easy and affordable to operationalize.