Microsoft released a patch to fix a critical, wormable flaw in Remote Desktop Services over two weaks ago. Yet about 1 million devices have not applied the patch and stay at risk. Those devices have not applied the recommended mitigations as well to lower the risk of exploitation.
The CVE-2019-0708 vulnerability may be exploited wirelessly without user interaction necessary. A threat actor could view, change, or delete information on a vulnerable device, execute arbitrary code, install programs, set up admin accounts, and control the device. Then, the attacker could move laterally and jeopardize other devices linked with the network. Microsoft gave a notice about the exploitation of the vulnerability via RDP and the potential for a WannaCry-style attack.
Microsoft introduced patches to resolve the vulnerability on May 14. Because of the severity of the flaw, Microsoft also released patches for unsupported versions of Windows, namely Windows 7, Windows XP, Windows 2003, Windows Server 2008 R2 and Windows Server 2008, which are also affected by the vulnerability.
Microsoft likewise recommended the following mitigations in case it’s not possible to apply the patch promptly:
- Deactiivate RDP from outside the company and restrict internal use
- Stop TCP port 3389 at the firewall
- Enforce Network Level Authentication (NLA)
Robert Graham of Errata Security who sees the severity of the flaw, took steps to ascertain how many devices had not applied the patch. Using a masscan port scanner and an other scanning tool, Graham scanned the web for systems that were still at risk of the BlueKeep vulnerability. He discovered 7 million systems that had open port 3389, 950,000 of which had not applied the patch.
Although a vulnerability exploit seems to be not in use in the wild yet, one would likely be developed soon and used to exploit vulnerable devices. A number of security companies say they have a workable vulnerability exploit, but they have not released it to the public.
Graham says that a threat actor could develop an exploit and use it in real world attacks in a few months or sooner. There are some evidence suggesting that hackers are already looking for vulnerable systems. GreyNoise Intelligence found a number of hosts used for scanning the web for unpatched devices.
Just one vulnerable device can allow an attacker access to the network, then many other devices could be jeopardized even though not vulnerable to BlueKeep.
Healthcare companies should apply the patch or do the proposed mitigations to prevent exploitation of the vulnerability.
Opatch also introduced a micropatch that may be employed to always-on servers so there is no need to reboot to be protected.