DejaBlue? Not again!

DejaBlue? Not again!

3 Minutes Read Published on August 21, 2019

Microsoft published seven new Windows vulnerabilities sourcing, again, in the Remote Desktop Protocol (RDP).

Like the name hints, DejaBlue, similarly to BlueKeep has the potential to create a worm that my infect millions of PCs, leveraging an RDP vulnerability. One of the differences between the two worms is that while BlueKeep affects Windows 7 PCs and earlier, DejaBlue affects also everything after as well. In addition, it seems like DejaBlue may be easier to exploit than BlueKeep.

RDP clipboard vulnerability

DejaBlue is actually a group of four new RDP vulnerabilities:

  • Windows 10 Version 1607.
  • Windows 10 Version 1703.
  • Windows 10 Version 1709.
  • Windows 10 Version 1803.
  • Windows 10 Version 1809.
  • Windows 10 Version 1903.
  • Windows 7.
  • Windows 8.1.
  • Windows RT 8.1.
  • Windows Server 2008 R2.
  • Windows Server 2012 (incl. Server Core installation).
  • Windows Server 2012 R2 (incl. Server Core installation).
  • Windows Server 2016 (incl. Server Core installation).
  • Windows Server 2019 (incl. Server Core installation).
  • Windows Server, version 1803 (Server Core installation).
  • Windows 10 Version 1803.
  • Windows 10 Version 1809.
  • Windows 10 Version 1903.
  • Windows Server 2019 (incl. Server Core installation).
  • Windows Server, version 1803 (Server Core installation).
  • Windows Server, version 1903 (Server Core installation).

All four CVEs were given a critical severity code of 9.8, and are believed to affect somewhere around 1 million machines.

The DejaBlue vulnerabilities are in the early stages of the RDP connection. The flaws precede the authentication phase, thereby there is no need for passwords of keys to breach the system and eventually can lead to remote code execution.

In addition, CVE-2019-1181 and CVE-2019-1182 have the potential of being ‘wormable’, spreading inside the network, crossing between different internal networks and moving between internal and external networks. This, of course, adds another dimension of severity to DejaBlue.

DejaBlue Mitigation:

Besides obviously applying the latest patches published by Windows, there are two key components that can mitigate this vulnerability:

  1. Network Level Authentication (NLA)- enable NLA on systems with enabled RDP. This will enforce the connection user to authenticate himself before the session is established with the server.
  2. The RDP itself- utilized RDP gateways on the patched workstations to hold and authenticate requests for RDP sessions before external users are passed to your internal network.

** if you’re not using RDP, configure your firewall to block inbound TCP port 3389 traffic.

RDS: Do not allow clipboard redirection

But the most basic mitigation step might be the most complex one:

Disable RDPs where they are not required. As simple as that! But is it?

Controlling configurations in your entire production environment is a pain. Deciding the right policy and then enforcing it may lead to outages and severe harm to production. In order to deal with the complexity in enforcing a secured configuration policy, expensive and time-consuming lab testing needs to be performed. That often leads to a permissive security policy, such as enabling RDPs when not requires and enlarging the attack surface.

CHS by CalCom will automate the entire process for you, eliminating your concern for production outages. With CHS there’s no need for lab testing, and strict security policies can be easily and automatically implemented on the production environment.

https://www.rapid7.com/blog/post/2019/08/13/august-2019-microsoft-remote-desktop-services-rdp-patches-what-you-need-to-know/

https://blog.cybermdx.com/blog/windows-dejablue-lookalike-vulnerabilities-emerge-3-months-after-bluekeep

https://mobilesyrup.com/2019/08/14/microsoft-windows-security-vulnerability-dejablue/

Ben Balkin
Ben Balkin is a professional writer and blogger specializing in technology and innovation. As a contributor to the Calcom blog, Ben shares practical insights, useful tips, and engaging articles designed to simplify complex processes and make advanced technological solutions accessible to everyone. His writing style is clear, insightful, and inspiring, reflecting his strong belief in technology's power to enhance quality of life and empower businesses.

Related Articles

Changes from PCI DSS Version 3.2.1 to 4.0

Changes from PCI DSS Version 3.2.1 to 4.0

June 20, 2022

In March 2022, PCI DSS launched a 4.0 version, which sets the operational and security…

4 tips for a successful baseline hardening project

4 tips for a successful baseline hardening project

February 26, 2018

The emerging cyber security threat and a large number of successful cyber attacks  occurred in…

How to Apply CIS Benchmark Levels to Secure Systems

How to Apply CIS Benchmark Levels to Secure Systems

May 27, 2024

CIS Benchmark levels along with STIG profiles offer flexibility, allowing organizations to configure security settings…

Ready to simplify compliance?

See automated compliance in action—book your demo today!

Share this article