A million devices still vulnerable to ‘wormable’ RDP hole

An internet-wide scan has revealed almost one million devices vulnerable to BlueKeep, the Windows vulnerability that has the security community on high alert this month.

BlueKeep is better known as CVE-2019-0708, a vulnerability that Microsoft announced in its May Patch Tuesday release that affects Windows Remote Desktop Services, accessible via the RDP protocol. It allows for remote code execution and is wormable, meaning that a compromised Windows machine could seek out and infect other vulnerable devices with no human interaction. Worms can spread quickly online, as we saw with the WannaCry ransomware exploit in 2017.

BlueKeep affects Windows XP, Vista, and 7 machines, but not Windows 8 or 10 boxes. The older versions make up around 35% of Windows installations, according to Statcounter. The flaw also affects Windows Server 2003 and 2008.

Security researcher Rob Graham ran a two-part scanning project to find out how many machines were vulnerable to this worrying flaw. He began by scanning the entire internet using the mass-scanning tool to find all devices responding on port 3389, the port most commonly used with RDP.

Then, he honed the results by forking a BlueKeep scanner project that ended up in the Metasploit pen testing tool last week. His fork created rdpscan, a tool designed to quickly iterate over a large set of addresses looking for Windows boxes vulnerable to BlueKeep exploits.

He did this over Tor, but says he probably wasn’t the person who caused a spike in RDP scans via the anonymous onion routing service last week:

That’s far more systems vulnerable to BlueKeep than there vulnerable to the flaw that enabled WannaCry to spread around the globe in a day.

Kevin Beaumont, the security researcher who gave BlueKeep its nickname, pointed out that the number of machines exposed to the internet via RDP is just be the tip of the iceberg:

Microsoft has released patches for this flaw (here and here). The problem, as with the CVE-2017-0144 vulnerability that prompted WannaCry, is getting people to apply them. There was a patch available for CVE-2017-0144 two months before WannaCry appeared, but it still wreaked havoc.

So if you haven’t patched already, you’d better get on with it says Naked Security’s Paul Ducklin:

The word ‘zero-day’ understandably fills us with dread, because it refers to an exploitable hole that is already being attacked but for which no patch yet exists. So don’t turn already-patched holes back into your own personal zero-day situation by not applying patches that do exist! The crooks will not only go looking and find you, but also have the keys to the castle in advance.

Some tardy patching is down to a lack of awareness, but complexity is also an issue. If you have Windows XP Embedded running on an arcane piece of equipment that’s supporting a critical process, patching it is a scary prospect.

If you’re unable to patch immediately, there are other things you can do in the meantime. The clearest is turning off Remote Desktop Services if not needed, or at least turning on Network Level Authentication for it, if you do need it. You could also block port 3389 at the external firewall level.

Experts concur that a real-world exploit is likely a matter of time and several security vendors have now demonstrated working code that they are not releasing.

The race to patch is on.