Armis Identifies Devices with BlueKeep Vulnerabilities

UPDATED November 4, 2019
Recent reports indicate that BlueKeep exploit attacks have now been spotted in the in the wild.

Many kinds of medical devices (e.g. MRI machines) and operational technology devices (e.g. HMI machines) utilize old versions of Windows operating systems. These devices typically can’t be automatically patched. In many cases, patches need to be obtained from the device manufacturer and then manually applied to the devices. Mitigating controls such as the ones outlined below, and continuous monitoring of device behavior to detect compromised devices, are highly recommended.

If you work in information security, you’ve probably heard about BlueKeep. This vulnerability, also known as CVE-2019-0708, was announced by Microsoft last month. BlueKeep is a very dangerous vulnerability because it could be used to launch a massive attack that would resemble the 2017 global WannaCry outbreak which continues to plague companies two years later. BlueKeep allows an attacker to use the Remote Desktop Service (RDP) to remotely execute commands on Windows computers without requiring any authentication.

What is notable is the large number of security experts — including those who work at the NSA and Microsoft — that have urged IT managers to patch all Windows systems that have the BlueKeep vulnerability. Just yesterday (June 18), the Cybersecurity and Infrastructure Security Agency (CISA), which operates under the Department of Homeland Security, issued an alert urging everyone to patch all affected systems and, for devices that cannot be patched, to take other mitigation steps. Numerous experts are warning of an almost certain attack.

What Devices are Affected

• Windows 2000
• Windows Vista
• Windows XP
• Windows 7
• Windows Server 2003
• Windows Server 2003 R2
• Windows Server 2008
• Windows Server 2008 R2

How Armis Helps

The first step on the road to mitigation is to identify all systems in an enterprise environment that contain BlueKeep vulnerabilities. For this task, Armis’ discovery feature is quite handy. All you need to do is type in the following search command which results in a comprehensive report:

in:vulnerabilities CVE-2019-0708

Armis has the following advantages in identifying BlueKeep vulnerabilities:

• More Comprehensive. Armis’ coverage is more comprehensive than traditional vulnerability detection systems. Traditional network scanners may not be programmed to scan all parts of an enterprise’s network, particularly those network segments where IoT devices are located. IT managers frequently avoid scanning network segments where IoT devices are located because scanning an IoT device can disrupt the device, which is dangerous to human safety (hospitals and industrial environments) and the bottom line.
• More Timely. Armis’ vulnerability detection is more timely than traditional vulnerability detection systems. Traditional network scanners take time — days or weeks — to complete their scan of an entire network. In contrast, Armis is a real-time system that continuously monitors all devices in your environment. Armis does not scan, it passively collects information about all devices and stores that information for later use. The search query for BlueKeep produces results within seconds.

Remember — it may not be possible to patch all of the vulnerable unmanaged and IoT devices that Armis detects in any given environment. IoT devices like IP video cameras, industrial equipment, retail equipment, medical equipment, building automation devices, printers, and so forth can’t be easily patched, and so they accumulate vulnerabilities over time. For these kinds of devices, CISA recommends that you mitigate your risk by using firewalls to block Transmission Control Protocol (TCP) port 3389 going to these devices. It is important to do this not only at your perimeter, but also inside your network, because the DNS Rebinding technique allows attackers to literally bypass your firewall and attack devices inside your network.

Of course, device discovery and risk assessment are just two parts of Armis’ agentless security platform. The platform also continuously monitors all devices in an enterprise environment to detect if any devices have been compromised. When Armis detects a compromised device, it can take automated action to quarantine the device, break the kill chain, and protect the rest of your systems and enterprise data.

I hope everyone reading this article is able to take all necessary measures to prevent damage from what appears to be an almost-certain attack coming for devices bearing the BlueKeep vulnerability.