An internet-wide scan has revealed almost one million devices vulnerable to BlueKeep, the Windows vulnerability that has the security community on high alert this month.
BlueKeep is better known as CVE-2019-0708, a vulnerability that Microsoft announced in its May Patch Tuesday release that affects Windows Remote Desktop Services, accessible via the RDP protocol. It allows for remote code execution and is wormable, meaning that a compromised Windows machine could seek out and infect other vulnerable devices with no human interaction. Worms can spread quickly online, as we saw with the WannaCry ransomware exploit in 2017.
BlueKeep affects Windows XP, Vista, and 7 machines, but not Windows 8 or 10 boxes. The older versions make up around 35% of Windows installations, according to Statcounter. The flaw also affects Windows Server 2003 and 2008.
Security researcher Rob Graham ran a two-part scanning project to find out how many machines were vulnerable to this worrying flaw. He began by scanning the entire internet using the mass-scanning tool to find all devices responding on port 3389, the port most commonly used with RDP.
Then, he honed the results by forking a BlueKeep scanner project that ended up in the Metasploit pen testing tool last week. His fork created rdpscan, a tool designed to quickly iterate over a large set of addresses looking for Windows boxes vulnerable to BlueKeep exploits.
He did this over Tor, but says he probably wasn’t the person who caused a spike in RDP scans via the anonymous onion routing service last week:
GreyNoise is observing sweeping tests for systems vulnerable to the RDP "BlueKeep" (CVE-2019-0708) vulnerability from several dozen hosts around the Internet. This activity has been observed from exclusively Tor exit nodes and is likely being executed by a single actor. pic.twitter.com/iGwuGuD4Rq
— GreyNoise (@GreyNoiseIO) May 25, 2019
That’s far more systems vulnerable to BlueKeep than there vulnerable to the flaw that enabled WannaCry to spread around the globe in a day.
Kevin Beaumont, the security researcher who gave BlueKeep its nickname, pointed out that the number of machines exposed to the internet via RDP is just be the tip of the iceberg:
https://twitter.com/GossiTheDog/status/1133340607336861696Microsoft has released patches for this flaw (here and here). The problem, as with the CVE-2017-0144 vulnerability that prompted WannaCry, is getting people to apply them. There was a patch available for CVE-2017-0144 two months before WannaCry appeared, but it still wreaked havoc.
So if you haven’t patched already, you’d better get on with it says Naked Security’s Paul Ducklin:
The word ‘zero-day’ understandably fills us with dread, because it refers to an exploitable hole that is already being attacked but for which no patch yet exists. So don’t turn already-patched holes back into your own personal zero-day situation by not applying patches that do exist! The crooks will not only go looking and find you, but also have the keys to the castle in advance.
Some tardy patching is down to a lack of awareness, but complexity is also an issue. If you have Windows XP Embedded running on an arcane piece of equipment that’s supporting a critical process, patching it is a scary prospect.
If you’re unable to patch immediately, there are other things you can do in the meantime. The clearest is turning off Remote Desktop Services if not needed, or at least turning on Network Level Authentication for it, if you do need it. You could also block port 3389 at the external firewall level.
Experts concur that a real-world exploit is likely a matter of time and several security vendors have now demonstrated working code that they are not releasing.
The race to patch is on.
IT
If security researchers created a working exploit for this vulnerability last week, you can bet that bad actors are going to have a working exploit this week more than likely. I bet we start seeing wide-scale infection over the next few weeks. Please infrastructure/IT/patching teams – PATCH your systems! Firewalls alone are no longer going to keep you safe. IDS/IPS alone isn’t going to keep you safe. Endpoint AV isn’t going to keep you safe. You should be regularly patching (and sadly, most organizations are not). Patching is the basics and should be a no brainer!
Anonymous
what he said
Andrew
I’m curious about the recommendation to enable Network Level Authentication. On the original notification from Microsoft they listed this as a mitigation. This mitigation subsequently disappeared from their notification and all without a revision number for the article. Very strange….
Danny Bradbury
Microsoft still explicitly recommends enabling NLA in one of the articles I linked to in the story (the second ‘here’ in ‘here and here’). The recommendation explains: “With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.”
Anonymous
What kind of sysadmin has an inbound RDP policy in their firewall? Really bad idea. Better to use a vpn,, or if that’s beyond your skill set, a jump box running teamviewer/bomgar etc
Anonymous
What a mess, just another ‘open RDP’ exploit for people who have no idea what they’re doing…
Network segmentation, VPNs, Access Control Systems…
Are these foreign or do people actually not set these up in every system they run?
Mark Stockley
In computing, as in life, the most followed path will be the path of least resistance.