Microsoft issued a patch to correct a critical, wormable flaw found in Remote Desktop Services about two weaks earlier. Yet approximately 1 million devices are still vulnerable because of not applying the patch nor the recommended mitigations to decrease the threat of exploitation.
The CVE-2019-0708 flaw could be remotely exploited with no need of user interaction. An attacker could view, alter, or erase data on a vulnerable system, execute arbitrary code, install applications, create administrator accounts, and command the device. After that, the attacker could easily move laterally and put at risk other devices connected to the network. Microsoft provided a notice regarding the exploitation of the vulnerability using RDP and the possibility of a WannaCry-style attack.
Microsoft released patches for fixing the vulnerability on May 14. But the severity of the flaw prompted Microsoft to release other patches for unsupported Windows versions, specifically Windows 7, Windows XP, Windows 2003, Windows Server 2008 R2 and Windows Server 2008, which the vulnerability also affects.
Microsoft additionally advised these mitigations for systems that cannot apply the patch quickly:
- Stop TCP port 3389 at the firewall
- Disconnect RDP from external systems and prohibit internal use
- Enforce Network Level Authentication (NLA)
Robert Graham of Errata Security who is concerned about the seriousness of the flaw, worked to know how much of the devices had not been patched. A masscan port scanner and other scanning tool were used for scanning the web to discvoer systems still at risk of the BlueKeep vulnerability. Graham found 7 million systems with open port 3389 and 950,000 of the systems were not patched.
Though a vulnerability exploit looks like not in use yet in the wild, one would possibly be developed shortly and employed to exploit vulnerable systems. a few security companies claim having a workable vulnerability exploit, however, they have not presented it publicly.
According to Graham, a threat actor can create an exploit and use it for attacks in a couple of months or sooner. Some evidence suggest that attackers are already in search of vulnerable systems like the report of GreyNoise Intelligence that some hosts are being used to scan the web for unpatched devices.
If an attacker could just access the network through one vulnerable device, it would be easy to jeopardize many other devices not vulnerable to BlueKeep.
Healthcare firms ought to implement the patch or the offered mitigations to avert exploitation of the vulnerability.
Opatch likewise released a micropatch that may be used with always-on servers and so it is not necessary to reboot for protection.