Nearly 1 Million Systems Affected By 'Wormable' BlueKeep Vulnerability (CVE-2019-0708)

Almost a million systems are reportedly vulnerable to BlueKeep (CVE-2019-0708), a critical vulnerability in remote desktop services. Microsoft’s Patch Tuesday for May already rolled out patches for BlueKeep, and security advisories were released to help users address the vulnerability. Other vendors have also issued their own patches for mission-critical systems and servers (e.g., ATMs) that need to be constantly run or cannot be rebooted.

The estimate was based on an internet scan of publicly accessible systems susceptible to BlueKeep. Errata Security’s Robert Graham used scanning tools to search for devices whose port 3389, which remote desktop protocol (RDP) uses by default, is exposed. After filtering the search results, Graham found around 950,000 internet-facing systems vulnerable to BlueKeep.

BlueKeep affects Windows Server 2008 and Windows 7, as well as end-of-support Windows Server 2003 and Windows XP.

[InfoSec Guide: Remote Desktop Protocol (RDP)]

BlueKeep made headlines given the significant security risk it poses. For one, exploiting BlueKeep does not require user interaction. BlueKeep is also “wormable,” which means threats exploiting this vulnerability can propagate similar to the way attackers used the EternalBlue exploit to infect systems with the notorious WannaCry and Petya/NotPetya.

For critical and high-profile vulnerabilities like BlueKeep, it is a race against time. While there have been no reports of active, in-the-wild attacks, it’s only a matter of time before attackers incorporate a BlueKeep exploit into their malware. In fact, Graham’s report came on the heels of recent news of anomalous activities that security researchers observed to be actively scanning the internet for Windows systems vulnerable to BlueKeep. Security researchers have already come up with proofs of concept and demonstrated working exploits, albeit partially.

[READ: Strengthening Network Perimeter Defenses with Next-generation Intrusion Prevention]

Opportunistic attackers and cybercriminals often use an organization’s window of exposure to a vulnerability to compromise its network and the systems connected to it. Here are some best practices that can help users and enterprises reduce their exposure to threats that may exploit BlueKeep:

  • Patch and keep the system and its applications updated (or employ virtual patching to legacy or end-of-life systems).
  • Restrict or secure the use of remote desktop services. For example, blocking port 3389 (or disabling it when not in use), can help thwart threats from initiating connections to systems behind the firewall.
  • Enable network level authentication (NLA) to prevent unauthenticated attackers from exploiting BlueKeep. This can be configured in Windows 7 and Windows Server 2008 (including the R2 version).
  • Enforce the principle of least privilege. Employing security mechanisms like encryption, lockout policies, and other permission- or role-based access controls provide additional layers of security against attacks or threats that involve compromising remote desktops.

The Trend Micro™ Deep Security™ and Vulnerability Protection solutions protect systems and users from threats targeting CVE-2019-0708 via this Deep Packet Inspection (DPI) rule:

  • 1009749 - Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability

Trend Micro™ TippingPoint® customers are protected from threats and attacks that may exploit CVE-2019-0708 via this MainlineDV filter:

  • 35296: RDP: Microsoft Remote Desktop Services Negotiation Request Without CredSSP 
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.