An internet-wide scan has revealed almost one million devices vulnerable to BlueKeep, the Windows vulnerability that has the security community on high alert this month.
BlueKeep is better known as CVE-2019-0708, a vulnerability that Microsoft announced in its May Patch Tuesday release that affects Windows Remote Desktop Services, accessible via the RDP protocol. It allows remote code execution and is wormable, meaning that a compromised Windows machine could seek out and infect other vulnerable devices with no human interaction. Worms can spread quickly online, as we saw with the WannaCry ransomware exploit in 2017.
BlueKeep affects Windows XP, Vista, and 7 machines, but not Windows 8 or 10 boxes. The older versions make up around 35% of Windows installations, according to Statcounter. The flaw also affects Windows Server 2003 and 2008.
Security researcher Rob Graham ran a two-part scanning project to find out how many machines were vulnerable to this worrying flaw. He started scanning the entire internet using the mass-scanning tool to find all devices responding to port 3389, the most commonly used with RDP.
Then, he honed the results by forking a BlueKeep scanner project that ended up in the Metasploit pen testing tool last week. His fork created rdpscan, a tool designed to fix iterate over a large set of addresses looking for vulnerable to BlueKeep exploits.
He did this about Tor, but it probably wasn't the person who caused a spike in RDP scans via the anonymous onion routing service last week:
GreyNoise is observing sweeping tests for systems vulnerable to the RDP "BlueKeep" (CVE-2019-0708) vulnerability fr … twitter.com/i/web/status/ 1…
GreyNoise Intelligence (@GreyNoiseIO) May 25, 2019
That's far more vulnerable to BlueKeep than there vulnerable to the flaw that enabled WannaCry to spread around the globe in a day.
Kevin Beaumont, the security researcher who gave BlueKeep's nickname, pointed out that the number of machines exposed to the internet via RDP is just the tip of the building:
Spoiler: it will be way, way higher when you get to systems inside organizations.
Kevin Beaumont (@GossiTheDog) May 28, 2019
Microsoft has released patches for this flaw (here and here). The problem, as with the CVE-2017-0144 vulnerability that prompted WannaCry, is getting people to apply them. There was a patch available for CVE-2017-0144 two months before WannaCry appeared, but it still wreaked havoc.
So if you haven't patched already, you'd better get on with the advice Paul Ducklin, Senior Technologist at Sophos:
The word 'zero-day' understandably fills us with dread, because it refers to an exploitable hole that is already being attacked but for which no patch exists. So don't turn already-patched holes into your own personal zero-day situation by not applying patches that exist! The crooks will not only be looking for you, but also the keys to the castle in advance.
Some tardy patching is down to a lack of awareness, but complexity is also an issue. If you have Windows XP Embedded running on an arcane piece of equipment that is supporting a critical process, it is a scary prospect.
If you are unable to patch immediately, there are other things you can do in the meantime. The clearest is turning off Remote Desktop Services if needed, or at least turning on Network Level Authentication for it, if you need it. You could also block port 3389 at the external firewall level.
Experts concur that a real-world exploit is likely to be a matter of time and several security vendors now showing working code that they are not releasing. patch is on.