PN1072 | Notice Regarding BlueKeep: Windows Security Vulnerability (CVE-2019-0708)

Introduction

Description

Version 1.0 – May 20, 2019

On May 14, 2019, Microsoft disclosed the existence of, and released the relevant patches for, a critical security vulnerability in relation to the Remote Desktop (RDP) functionality in Windows desktop and server operating systems. According to Microsoft’s disclosures, this vulnerability impacts older versions of Windows products up to Windows 7 and Windows Server 2008. Microsoft has also stated that it has not observed any evidence of attacks against this vulnerability, but that its presence poses a very serious threat that could expose users of the Remote Desktop functionality, including Rockwell Automation customers, to the potential of a rapidly spreading malware attack.

At this time, Rockwell Automation has not identified any products susceptible to this vulnerability. If any products are identified that could be potentially impacted, we will notify our customers with a post to KnowledgeBase, as appropriate.

Customers using affected versions of Windows operating systems are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations. Additional details relating to the Windows vulnerability, including affected products and recommended countermeasures, are provided herein.

VULNERABILITY DETAILS AND AFFECTED PRODUCTS

Customers should reference the Microsoft publication for details and list of affected products: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708.

RECOMMENDED USER ACTIONS

Customers should understand their potential exposure to this vulnerability by completing a thorough asset inventory and vulnerability management program.

Customers using the affected operating systems are encouraged to evaluate and apply the Microsoft-provided patches at the earliest possible time. Rockwell Automation provides preliminary qualification for supported Microsoft operating systems. Customers can find the status of Rockwell Automation’s test results at any time by referencing its Microsoft Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/qualifications.htm.

Customers who are unable to update should consider the alternative mitigations provided by Microsoft. Always refer to the Microsoft advisory for the most recent recommendations.

• Disable the RDP service.
  • Consider impact of blocking the RDP service on critical hosts and be prepared to execute this if the need arises.
• Restrict RDP Traffic from untrusted networks (especially from external sources) if possible via a perimeter-based control such as firewall or IPS.
  • Ports TCP/3389.
  • Consider the impact of critical processes that require personnel to RDP into hosts before taking this action.
• Establish and execute a proper backup and disaster recovery plan for their organization’s assets.

GENERAL SECURITY GUIDELINES

• Utilize proper network infrastructure controls, such as firewalls, to help ensure that communications from unauthorized sources are blocked.
• Use trusted software, software patches, antivirus/antimalware programs, and interact only with trusted web sites and attachments.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
• Locate control system networks and devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to its Product Security Incident Response FAQ document.

Refer to the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to its systems in the future. For more information and for assistance with assessing the state of security of their existing control system, including improving their system-level security when using Rockwell Automation and other vendor controls products, customers can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

REVISION HISTORY

KCS Status