UPDATE 20190604: The NSA is now urging organizations to patch.
UPDATE 20190603: Additional exposure analysis from Intrigue.io, indicating at least 17 of the Fortune 500 are still vulnerable to Bluekeep.
UPDATE 20190530: Additional Guidance from Microsoft, again, urging users to patch.
UPDATE 20190528: Rob Graham posted some analysis indicating close to a million systems directly exposed to the internet are vulnerable.
UPDATE 20190523: Another WIP POC from @n1xbyte. Currently blue-screening, not landing.
UPDATE 20190521: A PoC targeting Windows XP SP3 (only) is being worked on in a public Github repository, under the username “digital-missiles”. Additionally, NCC group has published an initial Suricata detection rule.
UPDATE 20190515: Chaouki Bekrar of Zerodium has publicly confirmed the exploitability of the vulnerability via a tweet. Zerodium in an independent exploit broker, paying up to $1,000,000 for zero day exploits in Microsoft Windows. No functional public exploit is currently known to be available. We will continue to monitor the situation.
Like many of you, we’ve been monitoring for activity around the “potentially wormable” RDP vulnerability announced by Microsoft yesterday: CVE-2019-0708. The vulnerability has been compared to Wannacry in its severity. Kenna’s sensor network has not yet seen a public exploit or exploitation in the wild, but we can confirm that attempts are being made to reverse the patch and craft an exploit.
Our exploit prediction model is currently reporting that CVE-2019-0708 will be exploited with a HIGH likelihood. The prediction model works by synthesizing many variables about a vulnerability associated with known exploitation activity and providing an immediate assessment of likelihood. For more information on the details and accuracy of the prediction model, see Don’t Leave Vulnerability Remediation to Chance or the reports in our Prioritization to Prediction series.
There are a number of fake and trick exploits currently being shared via Github and Twitter, so – as always – use caution and common sense before testing exploits and executing any untrusted code.
The vulnerability itself provides remote code execution in Remote Desktop Services, allowing an unauthenticated attacker to obtain Remote Code Execution with no requirement for user interaction. The vullnerability affects the following OS:
- Windows XP (all)
- Windows 2003 (all)
- Windows 7 SP 1 (32 and 64 bit)
- Windows Server 2008:
- 32 bit SP2
- 32 bit SP2 (Server Core Installation)
- Itanium-Based SP2
- 64 bit SP2
- 64 bit SP2 (Server Core Installation
- Windows Server 2008 R2:
- R2 for Itanium-Based Systems SP1
- R2 for 64 bit Systems SP1
- R2 for 64 bit Systems SP1 (Server Core Installation)
The major vulnerability scanners are actively adding coverage, and some are currently able to identify it via authenticated checks. We’ll update this list as more information becomes available:
- Rapid7 (local check)
- Qualys (local check)
- Tenable (local check)
- Tenable (local check)
- Tenable (local check – XP/2003 specific)
Microsoft recommends that organizations immediately update affected Windows systems and enable Network Level Authentication (NLA) on Windows 7, Windows Server 2008, and Windows Server 2008 R2. NLA is not available for Windows versions prior to Vista. If NLA is enabled, an attacker must successfully authenticate to reach the vulnerable RDS component. Organizations should disable RDS on systems that do not require remote access.
Based on numbers from Binary Edge, there are approximately 2.6 million RDP servers directly connected to the internet today – as measured in the last 30 days. RDP uses TCP port 3389 and we recommend removing or firewalling hosts from direct exposure to the Internet, and if access is strictly required – place hosts behind a VPN. Similarly on internal networks, hosts should be updated, and if possible, RDP disabled, firewalled, or segmented within the applicable networks.
If you’re currently a Kenna customer and logged in, you can use this search to identify systems vulnerable to CVE-2019-0708: