Need assistance? Call 603-862-4242
On May 14, 2019 and again on August 14, 2019, Microsoft announced three zero-day vulnerabilities impacting computers with Microsoft operating systems called BlueKeep (May) and DejaBlue (August). A complete list of Windows platforms impacted by each vulnerability is provided at the end of this alert.
Both BlueKeep and DejaBlue have the potential to be very dangerous as they allow an unauthorized user to connect to and control a vulnerable device, like a desktop, laptop, or server, without the involvement or knowledge of the device’s user. This capability means that an attack exploiting this vulnerability is “wormable” and, once it gets inside a network, it can spread to any vulnerable computer or server in that network on its own.
For reference, the last publicly announced zero-day vulnerability with this kind of capability was BlueEternal, in March 2017. This vulnerability was exploited in the WannaCry and NotPetya global ransomware attacks launched later that year that crippled organizations like the UK’s National Health Service, shipping giant Maersk, and US pharmaceutical company Merck & Co.
BlueKeep only affects older versions of Windows including Windows 7, Vista, and XP and Windows Server 2008, 2008 r2 and older. This limits the number of devices on campus that can be impacted by this vulnerability.
However, DejaBlue affects all modern Windows operating systems beginning with Windows 7 which significantly increases the number of UNH devices that are vulnerable.
Both BlueKeep and DejaBlue require the use of a specific protocol called RDP. UNH IT currently blocks external RDP traffic from entering the UNH network which provides a level of protection from external attacks launched against on-campus resources. However, as the UNH user community regularly utilizes devices both on and off campus, there is a risk that an unpatched device could be compromised while connected to a non-UNH network and, on reconnection, enable a BlueKeep or DejaBlue based attack to gain a foothold inside the UNH network.
Despite the work already done to patch devices vulnerable to BlueKeep, the emergence of DejaBlue combined with the following factors presents a significant risk to the campus computing environment and University operations:
It is important to note that even with the actions outlined in the Remediation Plan below, there will still be vulnerable devices connecting to the UNH Network. These devices include any that UNH IT could not identify as vulnerable as well as any vulnerable device that connects to the UNH network for the first time. The risk of a compromised device, UNH-owned or personal, connecting to the UNH network and subsequently compromising other vulnerable devices on our network will still exist. However, by decreasing the number of vulnerable devices, we are essentially “immunizing” campus against future attacks.
(updated as of August 20, 2019)
Since we cannot eliminate the risk of a BlueKeep or DejaBlue based attack, our best option to protect University resources and operations is to reduce the risk, to the extent possible, by ensuring that every known potentially vulnerable device is patched before any attacks leveraging these vulnerabilities occur.
To that end, the following action plan has been approved:
**10 day caveat: If, during this 10 day delay, there is reason to believe that DejaBlue has become exploitable and the risk to the University warrants expedited action, all auto-enrolled devices that have not yet been designated as “personal”, “Must Be Patched Manually”, or “DO Not Patch” may have the patches automatically pushed before the delay period has expired. Additionally, if this happens, devices designated as “Must Be Patched Manually” that have not yet been patched, may be quarantined until they can be patched.
Information on how to designate that a device belongs in one of these categories is provided here:
Additionally, ISS will be doing the following over the coming weeks:
At this time, these vulnerabilities are not being exploited, but that can change at any time. When exploits become available, UNH IT may also take the following actions for devices that cannot be confirmed as patched:
Additionally, going forward, this will be the approach taken to address Windows vulnerabilities deemed to pose this level of risk to the University.
Note: At this time, “automated management” of these devices by ConfigMgr will only involve confirming device patch status, applying Windows operating system updates and other critical security patches, if needed, and, where necessary, forced restarts of the unpatched devices during non-business hours to install patches.
Device owners with specific concerns about the potential for these remediation actions to cause anegative impact can contact IT.Security@unh.edu .