Update: 12th November 2019
Exploitation of the BlueKeep vulnerability has recently began. Please make certain your systems are updated. More details are available in my follow up post.
Update: 11th September 2019
Late last week Metasploit released a public exploit for the BlueKeep vulnerability. While this is a significant development in easing its use for a more widespread audience it was deliberately created with a safeguard of “The exploit does not currently support automatic targeting; it requires the user to manually specify target details before it will attempt further exploitation”
This means that the exploit cannot propagate on a large scale upon successfully exploiting a system within a wider network. The exploit was only created with the intention of identifying the affected operating system and whether that system is likely to be vulnerable.
How can I protect my organisation or myself from this vulnerability?
The BinaryEdge team is currently detecting more than 1 million un-patched systems on the internet. As per previous advice below, please make certain your Windows based servers and client/workstation systems are up to date (download links are provided in the original post below).
Update: 19th August 2019
In late July the Watchbog malware incorporated a scanning module to detect the presence of the BlueKeep vulnerability. In addition, an exploit for the vulnerability was added to a high value commercial penetration (pen) testing tool.
These indications continue to keep BlueKeep in the spotlight continuing to emphasise the need to patch or mitigate it as soon as possible. Advice for scanning a corporate network for the presence of this vulnerability is available from this SANS forum thread.
Update: 30th June 2019
A Microsoft employee (Raviv Tamir, Group Program Manager, Microsoft Threat Protection) has provided an update on the global status of patching the BlueKeep vulnerability. The most recent update is from 20th June; at 83.4% coverage an increase from 72.4% on 5th June and 57% on May 30th.
Keep up the great work. Thank you.
Update: 21st June 2019
The current situation with the BlueKeep vulnerability continues to increase in scope with Windows 2000 and it’s server variants (Windows 2000 Server, Advanced Server and Datacentre Server) now confirmed as vulnerable after the Department of Homeland Security (DHS) created a working BlueKeep exploit. Given that Windows Server 2003 and XP share much of their codebase with Windows 2000; this announcement isn’t entirely surprising. Microsoft separately confirmed there are no plans to issue updates for Windows 2000.
For any business or consumer still using Windows 2000; they have much more than just this vulnerability to be concerned about given that there have been no security updates since July 2010. The advice is as always to upgrade to supported version of Windows:
A BlueKeep short story:
Separately; last weekend I had the opportunity to “practice what I preach” when a friend came to me with a Windows XP laptop dating back to 2008. Surprisingly it was in almost new condition and was remarkably fast to use given it’s age. It had an Intel Core Solo CPU and 2 GB of RAM.
He no longer uses it online preferring an iPad Pro instead but needs to keep it online within his home network to administer his security single CCTV camera using an application (strangely the camera isn’t administered via a web browser). He had heard about BlueKeep and wondered could I patch it for him?
The laptop was connected via Ethernet to his router. I had asked him to send me a photo of the installed programs on the computer to see what I was going to deal with. I found the system had Windows XP SP3 (but no further updates), Office 2007, Adobe Reader 10 and VLC 1.1.5.
The Windows firewall was enabled and set to default settings. I verified using Nmap that port 3389 and other commonly exploitable ports like 445 (SMB) and Telnet (23); weren’t open.
Installed almost 150 updates for Windows XP using Microsoft Update (http://update.microsoft.com) , installed SP3 for Office 2007 and a further 37 updates for it after SP3.
Next, I installed Adobe Reader 11.0.10 and VLC 184.108.40.206. I also installed the 13 updates from Microsoft for Windows XP in 2017 (resolving DoublePulsar and EternalBlue; among others) and finally the BlueKeep security update. In less than 2 hours of me just reviewing the results of update checks and some very quick update installs his system was patched and continued to work perfectly.
From past experience of manually removing malware from really old systems this laptop was far better than expected. All of the updates installed quickly and with no errors. I estimate more than 1000 CVEs were resolved by the updates I installed.
He easily committed to continue not using it for website or email access since his iPad Pro fulfills that role and is faster. He was impressed that the laptop continues to work perfectly despite the vast number of updates it received.
Finally; yes I realize I should suggest upgrading from Windows XP but he doesn’t use the system for online use; just inside his network. His router is adequately protecting his network with it’s settings and most recent firmware updates installed. Given this use case and surrounding infrastructure; I see the risk as minimal. Plus he also told the system doesn’t have important data on it; he just wanted it patched in order to keep using it uninterrupted.
A really good outcome; case closed 😊
Update: 12th June 2019
Install the RDP patch (links below) if you have not already done so. Use the paid-for micropatch if you can’t take a system offline to reboot it. If you can’t do either of these follow Microsoft’s or the NSA’s advice to mitigate the vulnerability.
Microsoft on the 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible.
Meanwhile; multiple proof of concepts of who to exploit the vulnerability have been developed by security researchers:
This story continues with another security researcher creating a proof of concept Metasploit exploit for this vulnerability. The exploit works on Windows XP, Windows 7, Server 2008 and Server 2008 R2. Windows Server 2003 has the RDP vulnerability but the vulnerability couldn’t be exploited.
The NSA have since issued an advisory in addition to the two notifications from Microsoft linked to above.
For systems which cannot spare the down-time needed to reboot after installing the Microsoft patch, a micropatch from 0Patch is available for their Pro version subscribers:
As a proof of concept of how long it may take to patch a system; I used a VMware snapshot taken from a test Windows XP SP3 system I used back in 2012. The installation had no updates apart from SP3. After 40 minutes; all missing patches (2008 – 2014), the updates from 2017 (resolving EternalBlue; amongst others) and this year’s RDP update were installed. Patching the RDP vulnerability took less than a minute (including the restart and start-up of the system).
I repeated the above using the Automatic Updates feature of Windows XP. I was able to full patch the system in 30 minutes.
Systems which are better maintained than this would easily take less time (even if patched manually like I did); especially if tools such as WSUS or SCCM are used where vast number of systems can be patched very quickly.
Original Post: 4th June
Earlier this month Microsoft issued an update to resolve a critical vulnerability in Remote Desktop Services making use of the RDP protocol, port 3389.
TL DR: If you use Windows 7, Windows Server 2008 R2 or Windows Server 2008, if you have not done so already, please install this update. For Windows XP (all versions), Server 2003 (all versions) and Windows Vista; the necessary updates are available here.
Why should this vulnerability be considered important?
As Microsoft reminded us when issuing the patch; this vulnerability requires no authentication or user interaction. It has the potential to spread just like the WannaCry and NotPetya infections did in 2017. Windows 8.1 and Windows 10 (and their Server equivalents) are NOT vulnerable.
Robert Graham from Errata Security on the 28th of May issued a report of the scan results from a widespread scan of the internet. He found approximately 950,000 vulnerable systems.
How can I protect my organisation or myself from this vulnerability?
The easiest method is to install the update available from Microsoft.
For Windows Server 2003, Windows XP and Windows Vista; the update must be manually downloaded and installed from this link below since this update was not made available by the previous automatic mechanisms these versions of Windows had namely, Microsoft Update, Automatic Updates and Windows Update.
If you cannot install this security update; you can protect from this vulnerability by following the Workarounds listed in this link. Further explanation from Microsoft is also available from this link.
Microsoft on the 30th and 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible. Meanwhile; at least proof of concepts of who to exploit the vulnerability have been developed by at least 3 security researchers.