There’s a slight stir in the media of late about a vulnerability discovered in the Remote Desktop Services service on Microsoft Windows systems. It’s CVE reference is CVE-2019-0708 but is being commonly being referred to as ‘BlueKeep’.
Unusually the media seems to be giving this little coverage while cyber security experts are warning of ‘significant event’ likely in the next month or two.
The danger of BlueKeep can be surmised in the following bullet points:
- It affects Windows Server platforms Server 2003 to Server 2008 R2 and desktop versions XP through to Windows 7.
- It allows RCE (Remote Code Execution) with SYSTEM privileges, allowing attackers to run code, install software, etc.
- A BlueKeep exploit will likely be integrated in to worm-like malware (it can spread itself), allowing it to spread laterally on networks after the first breach, combined with ransomware.
- There are estimated to be 1 million vulnerable internet facing systems.
Sounds scary but is it really a problem?
While the IT sector has been accused of being prone bandwagonism and scare tactics (cough, cough, Y2K bug, cough), in this case the threat does seem very real. For me the key signs that this is severe are:
- Microsoft have even released patches for Bluekeep for legacy End-of-life software versions such as XP, Vista, Server 2003 – something they haven’t done since the WannaCry outbreak.
- The NSA has taken the unusual step of issuing their own advisory urging system administrators to update their systems.
- Most cyber security experts are warning of possible disruption on the scale of WannaCry.
- Multiple global internet scans for vulnerable systems have been detected coming from Tor exit nodes (in other words, via the dark web), indicating criminals are preparing target lists.
Could 1 Million Systems really be compromised?
No. It will likely be more.
A big concern for me is that while there are 1 million vulnerable systems on the Internet, if a worm is created then this will immediately attempt to propagate on internal systems the server is connected to.
For example: A company has a server with RDP access for maintenance or remote workers that is on the corporate network. If this server was infected via the Internet, the malware will spread to all the internal PCs it can (Wannacry style).
A quick search on Shodan for systems with port 3389 open (the default RDP port), finds 4,136,313 systems online.
Many systems will be on non-standard ports to make them marginally harder to find (but far from impossible). A quick search for systems on alternative port 3388 for example, shows a significant number of systems (68,301) as does a search just for the “Remote Desktop Connection” banner:
A scanner has already been released that can query systems to see not only if they are running RDP but also if they have the BlueKeep vulnerability: https://github.com/zerosum0x0/CVE-2019-0708 and no doubt criminals are racing to be the first to develop malware able to exploit this vulnerability and monetize it.
If you haven’t already, ensure you have patched all of your servers and PCs with the update. Any systems which you cannot update for some reason should have RDP disabled.