Predicting CVE-2019-0708

May 15, 2019 Jonathan Cran

UPDATE 20190723: A working exploit is now available in Immunity Canvas.

UPDATE 20190719: A technical document from Keenlab was posted detailing how to exploit the vulnerability.

UPDATE 20190604: The NSA is now urging organizations to patch.

UPDATE 20190604: Notice of a functional, private MSF module posted by @zerosum0x0 to Twitter.

UPDATE 20190603: Additional exposure analysis from Intrigue.io, indicating at least 17 of the Fortune 500 are still vulnerable to Bluekeep.

UPDATE 20190531: An excellent technical analysis and writeup of BlueKeep from @MalwareTech.

UPDATE 20190530: Additional Guidance from Microsoft, again, urging users to patch.

UPDATE 20190528: Rob Graham posted some analysis indicating close to a million systems directly exposed to the internet are vulnerable.

UPDATE 20190525: A Metasploit Scanner Module is now available.

UPDATE 20190523: Another WIP POC from @n1xbyte. Currently blue-screening, not landing.

UPDATE 20190521: A PoC check (not Exploit!) for XP and Windows 7 is now available with the Metasploit port in progress. A call for testers is underway.

UPDATE 20190521: A PoC targeting Windows XP SP3 (only) is being worked on in a public Github repository, under the username “digital-missiles”. Additionally, NCC group has published an initial Suricata detection rule.

UPDATE 20190515: Chaouki Bekrar of Zerodium has publicly confirmed the exploitability of the vulnerability via a tweet. Zerodium in an independent exploit broker, paying up to $1,000,000 for zero day exploits in Microsoft Windows. No functional public exploit is currently known to be available. We will continue to monitor the situation.

We've confirmed exploitability of Windows Pre-Auth RDP bug (CVE-2019-0708) patched yesterday by Microsoft. Exploit works remotely, without authentication, and provides SYSTEM privileges on Windows Srv 2008, Win 7, Win 2003, XP. Enabling NLA mitigates the bug. Patch now or GFY!

— Chaouki Bekrar (@cBekrar) May 15, 2019

ORIGINAL POST:

Like many of you, we’ve been monitoring for activity around the “potentially wormable” RDP vulnerability announced by Microsoft yesterday: CVE-2019-0708. The vulnerability has been compared to Wannacry in its severity.  Kenna’s sensor network has not yet seen a public exploit or exploitation in the wild, but we can confirm that attempts are being made to reverse the patch and craft an exploit.

Our exploit prediction model is currently reporting that CVE-2019-0708 will be exploited with a HIGH likelihood. The prediction model works by synthesizing many variables about a vulnerability associated with known exploitation activity and providing an immediate assessment of likelihood. For more information on the details and accuracy of the prediction model, see Don’t Leave Vulnerability Remediation to Chance or the reports in our Prioritization to Prediction series.

There are a number of fake and trick exploits currently being shared via Github and Twitter, so – as always – use caution and common sense before testing exploits and executing any untrusted code.

The vulnerability itself provides remote code execution in Remote Desktop Services, allowing an unauthenticated attacker to obtain Remote Code Execution with no requirement for user interaction. The vullnerability affects the following OS:

  • Windows XP (all)
  • Windows 2003 (all)
  • Windows 7 SP 1 (32 and 64 bit)
  • Windows Server 2008:
    • 32 bit SP2
    • 32 bit SP2 (Server Core Installation)
    • Itanium-Based SP2
    • 64 bit SP2
    • 64 bit SP2 (Server Core Installation
  • Windows Server 2008 R2:
    • R2 for Itanium-Based Systems SP1
    • R2 for 64 bit Systems SP1
    • R2 for 64 bit Systems SP1 (Server Core Installation)

The major vulnerability scanners are actively adding coverage, and some are currently able to identify it via authenticated checks. We’ll update this list as more information becomes available:

Microsoft recommends that organizations immediately update affected Windows systems and enable Network Level Authentication (NLA) on Windows 7, Windows Server 2008, and Windows Server 2008 R2. NLA is not available for Windows versions prior to Vista. If NLA is enabled, an attacker must successfully authenticate to reach the vulnerable RDS component. Organizations should disable RDS on systems that do not require remote access.

Based on numbers from Binary Edge, there are approximately 2.6 million RDP servers directly connected to the internet today – as measured in the last 30 days. RDP uses TCP port 3389 and we recommend removing or firewalling hosts from direct exposure to the Internet, and if access is strictly required – place hosts behind a VPN. Similarly on internal networks, hosts should be updated, and if possible, RDP disabled, firewalled, or segmented within the applicable networks.

If you’re currently a Kenna customer and logged in, you can use this search to identify systems vulnerable to CVE-2019-0708:

 cve:2019-0708 

The post Predicting CVE-2019-0708 appeared first on Kenna Security.

Previous Article
Nearly 20% of the 1000 Most Popular Docker Containers Have No Root Password
Nearly 20% of the 1000 Most Popular Docker Containers Have No Root Password

Earlier this month, Talos released research showing that the Alpine Linux docker images were shipping with ...

Next Article
Gaining Visibility in an AppSec World
Gaining Visibility in an AppSec World

It’s no secret that application security professionals face an uphill battle as they attempt to influence d...