[German]Almost one million systems with Windows XP up to Windows 7 and their server counterparts are accessible via the Internet and can be attacked via BlueKeep vulnerability due to missing updates.
BlueKeep vulnerability: The risk increases
The CVE-2019-0708 vulnerability, known since May 14, 2019, could soon become one of the biggest security risks to Windows systems since WannaCry and NotPetya. Many Windows systems are still not provided with the necessary security updates.
The situation is still ‘relatively relaxed’, as I am not aware of any publicly available exploit that could be used to exploit the vulnerability to spread malware via the network. But that’s a matter of time. And in the blog post A threat actor scans Windows systems for BlueKeep vulnerability I reported that an attacker had probably already started scanning networks for vulnerable Windows computers via a Tor node.
A first BlueKeep scanner
Security researcher Kevin Beaumont has written a scanner to test network segments for the BlueKeep vulnerability.
Unauthenticated CVE-2019-0708 (RDP RCE) scanner PoC from @JaGoTu and I. Can be automated to check your systems or pad your pentest report this week. @Metasploit port in progress. Submit fixes not tixes.https://t.co/hjsPQdmI2w pic.twitter.com/eOrNm3TRHe
— zǝɹosum0x0 (@zerosum0x0) 22. Mai 2019
It’s is a Docker project and available on GitHub. Since I don’t have a docker infrastructure here, I couldn’t test anything by myself. But Kevin Beaumont points out in the following tweet that the explosiveness is increasing.
A warning re CVE-2019-0708 aka BlueKeep.
There are significantly higher number of internet accessible devices vulnerable than vulnerable to MS17-010 during WannaCry. I have scan results from back then using @zerosum0x0’s scanner (they also wrote the BlueKeep scanner).
— Kevin Beaumont (@GossiTheDog) 28. Mai 2019
He found a significantly higher number of Windows systems vulnerable to the BlueKeep vulnerability on scans than he did on the EternalBlue vulnerability (MS17-010) that caused the WannaCry Ransomware outbreak in 2017. Not exactly reassuring news.
One million machines unpatched
Robert Graham, head of security research firm Errata Security, has also conducted an Internet scan for the BlueKeep vulnerability. He used the masscan tool to find machines with port 3389 (used by Remote Desktop). After a few hours he received 7 million hits. With further tools rdpscan he then tested this list on Windows systems that were vulnerable via BlueKeep. As he writes here, he came across almost 1 million unpatched systems. In concrete terms, there are probably around 950,000 publicly accessible computers on the Internet that are susceptible to the BlueKeep bug. The Hacker News has prepared the whole thing here.
Since the BlueKeep vulnerability allows systems to be taken over by an attacker and can be used for worm-like propagation, there is an increasing danger of ransomware attacks using techniques such as NotPetya and WannaCry. It may only be a matter of time.
Robert Graham believes that hackers can develop a robust exploit to exploit this vulnerability within a month or two. And then I can expect an outbreak of malware that will affect those 1 million computers. Graham writes:
This is likely to lead to an event as damaging as WannaCry and notPetya of 2017 – possibly worse, as hackers have refined their ability to use these things for ransoms and other shameful purposes.
The only option left is to tell people about the possibility of patching the affected Windows systems. On April 14, 2019, Microsoft released updates to close the vulnerability (see Critical update for Windows XP up to Windows 7 (May 2019)).
Details about CVE-2019-0708
The vulnerability known as CVE-2019-0708 is in the Windows Remote Desktop Services, formerly known as Terminal Services. An unauthenticated attacker can connect to a target system via RDP using special requests. The problem is that the attacker does not need to authenticate to gain access to the system.
An attacker who has successfully exploited this vulnerability could execute arbitrary code on the target system. This includes installing programs, viewing, modifying, or deleting data, and creating new accounts with full user privileges. This critical vulnerability exists in the following versions of Windows:
- Windows XP
- Windows Server 2003
- Windows Vista
- Windows 7
- Windows Server 2008
- Windows Server 2008 R2
Starting with Windows 8, the vulnerability no longer exists in the Remote Desktop service. On May 14, 2019, Microsoft released a security update for older versions of Windows, from Windows XP to Windows 7, that closes the critical vulnerability CVE-2019-0708 in Remote Desktop Services (seeCritical update for Windows XP up to Windows 7 (May 2019)).
A threat actor scans Windows systems for BlueKeep vulnerability
BlueKeep: Windows Remote Desktop Services vulnerability exploits status
Critical update for Windows XP up to Windows 7 (May 2019)