BlueKeep RDP flaw: Nearly a million Internet-facing systems are vulnerable

Two weeks have passed since Microsoft released security fixes and mitigation advice to defang exploits taking advantage of CVE-2019-0708 (aka BlueKeep), a wormable unauthenticated remote code execution flaw in Remote Desktop Services (RDP).

The vulnerability, reported by UK’s National Cyber Security Centre (NCSC), has the potential to be the means for attacks that could rival the 2017 WannaCry onslaught in size and effect.

A recent scanning effort by Robert Graham, head of offensive security research firm Errata Security, has revealed that there are still nearly a million of vulnerable systems out there – and that’s just the ones that are on the public Internet: there are likely many, many more if we count systems inside organizations.

Current situation

Luckily for defenders around the world, attackers have not yet succeed in creating and deploying a workable and stable exploit.

Since Microsoft did not release any technical details about the vulnerability, both security researchers and potential attackers were left with one option: attempt to reverse-engineer Microsoft’s patch to discover the vulnerable component. While many security companies have since created an exploit, they have not shared it with the wider public.

Some scammers have seized the opportunity of increased media coverage and interest and have been trying to sell fake exploits, though.

In the meantime, IDS/IPS vendors have worked on creating (Snort, Suricata, Sigma) rules that can detect exploitation attempts, 0patch released a micropatch for computers that can’t have Microsoft’s update applied for whatever reason or can’t be restarted, and Check Point has equipped their endpoint protection solution with defenses against exploits targeting the flaw.

Also, different actors have been scanning the Internet to detect vulnerable systems. Some of these are performed by researchers, but some seem to be part of a reconnaissance effort by potential attackers.

GreyNoise is observing sweeping tests for systems vulnerable to the RDP "BlueKeep" (CVE-2019-0708) vulnerability from several dozen hosts around the Internet. This activity has been observed from exclusively Tor exit nodes and is likely being executed by a single actor. pic.twitter.com/iGwuGuD4Rq

— GreyNoise Intelligence (@GreyNoiseIO) May 25, 2019

What should organizations do?

CVE-2019-0708 affects all Windows and Windows Server versions except Windows 8 and Windows 10. Microsoft has provided patches for all of them, even those out-of-support (Windows XP, Windows Vista and Windows Server 2003).

The general advice for users is to implement the security updates.

Organizations are urged to do the same, but they may face limitations in following that approach. For those, available mitigations include:

• Disabling RDP services where not required
• Blocking port 3389 at the enterprise perimeter firewall or configure RDP to be only accessible via a VPN or via devices on the LAN
• Deploying IDS/IPS rules to detect the exploit (limited effectiveness due to traffic encryption)
• Enabling Network Level Authentication (NLA) (limited effectiveness if attackers can authenticate with valid credentials).

“More importantly, for large organizations, is to fix their psexec problem that allows such things to spread via normal user networking,” Graham noted.

“You may have only one old WinXP machine that’s vulnerable, that you don’t care if it gets infected with ransomware. But, that machine may have a Domain Admin logged in, so that when the worm breaks in, it grab those credentials and uses them to log onto the Domain Controller. Then, from the Domain Controller, the worm sends a copy of itself to all the desktop and servers in the organization, using those credentials instead of the vuln.”

To discover which of their systems are affected, organizations have several scanners at their disposal:

• Graham’s rdpscan tool, which is good for scanning small networks
• RiskSense Senior Security Researcher Sean Dillon and another researcher that goes by JaGoTu have created a scanner that has been turned into a Metasploit plugin
• Tenable has released a set of plugins to detect the presence of CVE-2019-0708 and an uncredentialed check to enable customers to detect the wormable flaw.