Microsoft’s worm-friendly Bluekeep flaw affects medical devices and other Internet of Things endpoints, security experts are warning.
A zero-day Windows Remote Desktop vulnerability dubbed “BlueKeep” poses a threat to millions of Internet-connected systems including medical devices and other endpoints connected to the “Internet of Things,” security experts warn.
Microsoft issued a patch for the vulnerability last week, warning that it has a similar wormable capability to EternalBlue, a vulnerability discovered and patched in 2017. Code exploiting that vulnerability powered the devastating WannaCry malware, causing billions in damages globally.
Officially known as CVE-2019-0708, the exploit could allow an attacker to execute arbitrary code on a target system by sending specially crafted requests, according to risk-based security management firm RiskSense. Then, once exploited, an attacker could gain control of the system and install programs; view, change, or delete data; or create new accounts with full user rights.
“This vulnerability is immense for three reasons,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. “It can be triggered remotely via a network connection; it does not require any authentication to gain access to the vulnerable system; and it grants remote-code execution, which is the Holy Grail of exploits.”
Microsoft strongly urged users to apply the patch they provided in their weekly update. Indeed, bad actors are likely frothing to find a way to exploit the vulnerability due to its havoc-wreaking capability, said one security expert.
“This type of vulnerability is the most valuable to attackers because it enables remote command and control and privilege escalation,” said Satya Gupta, CTO and Co-founder of security firm Virsec. “If the bad guys can repeatedly access your system, and elevate their admin privileges, they pretty much own the system and can easily access any network assets or data connected to it.”
One million desktops is quite a lot, which means it’s highly likely all affected machines won’t all be patched in a timely fashion–or at all, experts said. “Most organizations are hampered by the fact that their vulnerability scanners can not presently test for this critical vulnerability,” the security firm RiskSense pointed out.
Some experts actually think 1 million is a conservative estimate. And, because the vulnerability is on older systems–Windows 7 and Windows Server 2008–it is more likely that these systems are more difficult to upgrade and also to patch, experts said.
“I personally would not be surprised if that [1 million] number is substantially larger,” said Jonathan Olivera, threat analyst for security firm Centripetal. “The amount of Window 7 and Windows Server 2008 hosts and web-facing virtual machines being used globally is well over 1 million. I also agree a large percentage of these systems are unpatched.”
Siemens sounds the Alarm
“Siemens Healthineers products are primary based on Microsoft Windows or can be installed on Microsoft Windows,” Marion Bludszuweit, a company spokesperson, told Security Ledger in a statement. “Some of these Siemens Healthineers products are affected by this vulnerability.”
The company put out a number of security advisories informating its customers of the situation and offering fixes and workarounds to patch systems, noting that “the exploitability of the vulnerability depends on the actual configuration and deployment environment of each product.”
The specific advisories provide specific advice for each product line, with Siemens making several recommendations depending on the products affected. At the very least, customers are advised to install the Microsoft patch, and in some cases Siemens is calling for customers to disable RDP and block TCP port 3389 to protect its systems.
So far, no one has reported an exploited BlueKeep vulnerability in a Siemens Heathineers product, Bludszuweitn added.
Healthcare systems in the crosshairs
Siemens Healthineers allows medical devices to connect over the cloud using Microsoft’s Azure platform. That poses a risk that is common to other Internet of Things devices. Namely: spreading malware expose not only devices affected by BlueKeep but also those not affected by it, but connected to- and dependent on an infected device.
Healthcare records alone also contain sensitive data that can be used by bad actors or sold on the Dark Web for nefarious purposes, warned Olivera. “Medical records these days consist of more than just health issues,” he said. “Modern records contain sensitive personal identifiable information.”
Olivera also questioned the use of older versions of Windows in critical IT healthcare systems from a well-established company, especially in the era of sophisticated malware.
“The fact that a company as well known as Siemens still has Windows 7 and or Windows Server 2008 on their production network or [on] client-facing [systems] is troublesome to me,” he said. “It tells me that leadership is out of touch with their security staff, or they have different priorities.”
The specific Healthineers product lines Siemens recommends patching include its Advanced Therapy Products; Siemens Healthineers Software Products; and Laboratory Diagnostic Products, among several others.
One complication those patching healthcare-related devices is that often Windows-based medical devices are not updated for compatibility reasons, said Yaron Kassner, CTO of security firm Silverfort. Restricting or even prohibiting their use might be the only way to secure these systems, he said.
“An exploit that enables access to, or control over, these devices can potentially be life-threatening, and therefore healthcare organizations must take measures to isolate these devices, and restrict and secure access to them,” Kassner said.