Security Alert Update: BlueKeep and DejaBlue Campus-Wide Remediation Actions

August 16, 2019

by UNH Information Security Services

Overview

On May 14, 2019 and again on August 14, 2019, Microsoft announced three zero-day vulnerabilities impacting computers with Microsoft operating systems called BlueKeep (May) and DejaBlue (August).  A complete list of Windows platforms impacted by each vulnerability is provided at the end of this alert.

Both BlueKeep and DejaBlue have the potential to be very dangerous as they allow an unauthorized user to connect to and control a vulnerable device, like a desktop, laptop, or server, without the involvement or knowledge of the device’s user.  This capability means that an attack exploiting this vulnerability is “wormable” and, once it gets inside a network, it can spread to any vulnerable computer or server in that network on its own. 

For reference, the last publicly announced zero-day vulnerability with this kind of capability was BlueEternal, in March 2017.  This vulnerability was exploited in the WannaCry and NotPetya global ransomware attacks launched later that year that crippled organizations like the UK’s National Health Service, shipping giant Maersk, and US pharmaceutical company Merck & Co.

Risk Assessment

BlueKeep only affects older versions of Windows including Windows 7, Vista, and XP and Windows Server 2008, 2008 r2 and older.  This limits the number of devices on campus that can be impacted by this vulnerability. 

However, DejaBlue affects all modern Windows operating systems beginning with Windows 7 which significantly increases the number of UNH devices that are vulnerable.

Both BlueKeep and DejaBlue require the use of a specific protocol called RDP.  UNH IT currently blocks external RDP traffic from entering the UNH network which provides a level of protection from external attacks launched against on-campus resources.   However, as the UNH user community regularly utilizes devices both on and off campus, there is a risk that an unpatched device could be compromised while connected to a non-UNH network and, on reconnection, enable a BlueKeep or DejaBlue based attack to gain a foothold inside the UNH network. 

Despite the work already done to patch devices vulnerable to BlueKeep, the emergence of DejaBlue combined with the following factors presents a significant risk to the campus computing environment and University operations:

  1. UNH does not mandate the management of institutional devices, which means:

    1. We cannot identify all potentially vulnerable devices connecting to our network
    2. We cannot confirm that known potentially vulnerable devices have been patched
    3. We cannot force updates on known vulnerable devices
  2. UNH provides a BYOD environment which means:
     

    1. anyone can connect any device to our network if they are on-campus
    2. any user with UNH credentials can connect any device to our network from off-campus via the VPN

It is important to note that even with the actions outlined in the Remediation Plan below, there will still be vulnerable devices connecting to the UNH Network.  These devices include any that UNH IT could not identify as vulnerable as well as any vulnerable device that connects to the UNH network for the first time.  The risk of a compromised device, UNH-owned or personal, connecting to the UNH network and subsequently compromising other vulnerable devices on our network will still exist.  However, by decreasing the number of vulnerable devices, we are essentially “immunizing” campus against future attacks.

 

Remediation Plan

(updated as of August 20, 2019)

Since we cannot eliminate the risk of a BlueKeep or DejaBlue based attack, our best option to protect University resources and operations is to reduce the risk, to the extent possible, by ensuring that every known potentially vulnerable device is patched before any attacks leveraging these vulnerabilities occur.

To that end, the following action plan has been approved:

  1. Beginning on the morning of Wednesday, August 21, all known vulnerable Windows  endpoint devices joined to Active Directory, that are not already being managed by ConfigMgr, will be automatically enrolled in ConfigMgr.
  2. There will be a 2 week /10 workday ** delay before any patches are automatically pushed to these devices.  This delay allows members of the faculty and research community the opportunity to patch their devices themselves or to designate specific devices as “Personal”, “Must Patch Manually”, and “Do Not Patch” prior to the commencement of automatic patching.
  3. On Wednesday, September 4, the process of automatically patching remaining vulnerable devices will begin.** 

**10 day caveat:  If, during this 10 day delay, there is reason to believe that DejaBlue has become exploitable and the risk to the University warrants expedited action, all auto-enrolled devices that have not yet been designated as “personal”, “Must Be Patched Manually”, or “DO Not Patch” may have the patches automatically pushed before the delay period has expired.  Additionally, if this happens, devices designated as “Must Be Patched Manually” that have not yet been patched, may be quarantined until they can be patched. 

Information on how to designate that a device belongs in one of these categories is provided here:

Additionally, ISS will be doing the following over the coming weeks:

  1. Contacting device owners, department IT staff, and other support personnel to address any issues with the automatic patch processes, to document risk acceptance, etc. 
  2. Contacting owners of vulnerable servers to coordinate and confirm necessary patches are applied.
  3. Forcing restarts on devices in order to ensure patches are applied, if needed.   If this is deemed necessary, ISS will notify the device owner or department IT staff, for any device where we have been able to identify an owner or department, of the need for a restart prior to initiating a remote restart. 

At this time, these vulnerabilities are not being exploited, but that can change at any time. When exploits become available, UNH IT may also take the following actions for devices that cannot be confirmed as patched:

  1. Quarantine the device. Quarantined devices:
  • have limited network connectivity and are segregated from the UNH network
  • display a message alerting the user to the quarantine that provides instructions on how to get the device out of quarantine
  1. Block the device from accessing the VPN.

Additionally, going forward, this will be the approach taken to address Windows vulnerabilities deemed to pose this level of risk to the University.

 

Note: At this time, “automated management” of these devices by ConfigMgr will only involve confirming device patch status, applying Windows operating system updates and other critical security patches, if needed, and, where necessary, forced restarts of the unpatched devices during non-business hours to install patches.

Device owners with specific concerns about the potential for these remediation actions to cause  anegative impact can contact IT.Security@unh.edu .

 

Additional Information

Windows Platforms Impacted

DejaBlue

  • Windows 7
  • Windows 8.1
  • Windows 10
  • Windows Server 2008
  • Windows Server 2012
  • Windows Server 2016
  • Windows Server 2019

BlueKeep

  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for Itanium-Based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows XP SP3 x86
  • Windows XP Professional x64 Edition SP2
  • Windows XP Embedded SP3 x86
  • Windows Server 2003 SP2 x86
  • Windows Server 2003 x64 Edition SP2
  • Windows Vista

Resources

Bookmark and Share

Archive