Tag Archives: BlueKeep

Recent Shodan Scan Reveals Increase in Risky Exposed RDP Access

With working from home being the new normal during the COVID-19 crisis, it is still important to secure Microsoft Remote Desktop Protocol (RDP) if your organisation uses it. Keep your installation of RDP updated, protect it with a strong password, strongly consider enabling Network Level Authentication (NLA), accessing it via firewall, by using a VPN, enable 2 factor authentication and restricting access to only those that use it.


Late last month the online search engine, Shodan provided details of one the online activity changes they witnessed when lockdown in many countries took effect around the world. The number of Remote Desktop Protocol (RDP)(defined) connections being exposed to the internet rose as more people sought to work from home while still accessing their companies’ systems:


Other notable findings were:

  1. Shodan’s operators also noticed that some organisations were attempting to hide the presence of exposed RDP connections by using port 3388 rather than the default well known port 3389. This provides a false sense of security since it will not stop a determined attacker from locating an exposed RDP connection.
  2. 8% of the systems with RDP ports exposed across the world were still vulnerable to the critical vulnerability known as BlueKeep (CVE-2019-0708) (patched in May 2019). Others were vulnerable to DejaBlue (CVE-2019-1181 and CVE-2019-1182)(patched along with other vulnerabilities in August 2019).
  3. Industrial Control Systems (ICS)(defined) were among the systems exposed on the internet.

How can I protect my organisation if they (or I) need to use RDP for remote access during the lockdown period?
Strongly consider increasing the strength of your RDP access password to 12 characters or more.

Keep your RDP installation up to date (please see the above links for the necessary patches to BlueKeep and DejaBlue).

Strongly consider at least one of the following safeguards (2 or more recommended):

For ICS systems only:
Managing Remote Access Best Practices (PDF)

  1. Enable network level authentication (NLA)
  2. Place a hardware or software firewall between your Remote Desktop Gateway Server and the internet. (firewall: defined)
  3. Set up RDP to use a VPN(VPN: defined)
  4. Enable 2 factor authentication (also called multi-factor authentication)(usually paid for commercial solutions).
  5. Restrict RDP to the users to only those that need it.


Thank you and stay safe.

Special thanks to Solarwinds and Pieter Arntz of Malwarebytes for their useful references which inspired this post.

Exploits of BlueKeep Vulnerability Have Begun

In early November the security researcher Kevin Beaumont detected exploitation of the BlueKeep RDP vulnerability (patched in May 2019) within his honeypot network (defined).

How serious are these attacks?
At this time the attacks are not considered serious since the exploits are not using a wormable (automatic) means of spreading.

While this is true, Beaumont and Microsoft have cautioned that more stable exploits are likely to follow. Beaumont points to a blog post that discusses why the current exploits are mostly causing crashes upon systems and how to make the exploit more stable. Beaumont has stated over 724k system remain exposed to this vulnerability.

How can I protect my organisation or myself from this vulnerability?
For workstation systems, as recommended in my previous post, please install the Microsoft update if your system is vulnerable. Beaumont and Microsoft provide recommendations specific to organisations in their respective posts to both mitigate the vulnerability and to locate vulnerable systems within your network.

Thank you.

Mitigating August’s Remote Desktop Services (RDS) Vulnerabilities

Earlier last week Microsoft released security updates for Remote Desktop Services (RDS).

If you use  Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions, please install the security updates for August 2019 which include fixes to these vulnerabilities: CVE-2019-1181 and CVE-2019-1182

Why should these vulnerabilities be considered important?
The following two vulnerabilities CVE-2019-1181 and CVE-2019-1182 have received a CVSS 3 base score (defined) of 9.8 and have the potential to be used by network worms to rapidly spread without the need for assistance from computer users. There is the potential for a repeat of an attack very similar to the WannaCry ransomware outbreak of May 2017.

How can I protect my organisation or myself from these vulnerabilities?
The most effective means of defence is to install the updates released by Microsoft available via Windows Update (this link provides guidance on doing so) or manually from the above links.

While the BlueKeep vulnerability has not yet been exploited, there are indications (here and here) it may be soon. These more recent vulnerabilities will likely receive similar or more interest since they are present in more versions of Windows (8.1 and 10 alongside their Server based equivalents) than BlueKeep.

If for any reason this is not possible, the mitigations listed in this Microsoft blog post will be useful. Thank you.

Microsoft re-issues warning to patch BlueKeep Vulnerability

Update: 12th November 2019
Exploitation of the BlueKeep vulnerability has recently began. Please make certain your systems are updated. More details are available in my follow up post.

Thank you.

Update: 11th September 2019
Late last week Metasploit released a public exploit for the BlueKeep vulnerability. While this is a significant development in easing its use for a more widespread audience it was deliberately created with a safeguard of “The exploit does not currently support automatic targeting; it requires the user to manually specify target details before it will attempt further exploitation”

This means that the exploit cannot propagate on a large scale upon successfully exploiting a system within a wider network. The exploit was only created with the intention of identifying the affected operating system and whether that system is likely to be vulnerable.

How can I protect my organisation or myself from this vulnerability?
The BinaryEdge team is currently detecting more than 1 million un-patched systems on the internet. As per previous advice below, please make certain your Windows based servers and client/workstation systems are up to date (download links are provided in the original post below).

Thank you.

Update: 19th August 2019
In late July the Watchbog malware incorporated a scanning module to detect the presence of the BlueKeep vulnerability. In addition, an exploit for the vulnerability was added to a high value commercial penetration (pen) testing tool.

These indications continue to keep BlueKeep in the spotlight continuing to emphasise the need to patch or mitigate it as soon as possible. Advice for scanning a corporate network for the presence of this vulnerability is available from this SANS forum thread.

Thank you.

Update: 30th June 2019
A Microsoft employee (Raviv Tamir, Group Program Manager, Microsoft Threat Protection) has provided an update on the global status of patching the BlueKeep vulnerability. The most recent update is from 20th June; at 83.4% coverage an increase from 72.4% on 5th June and 57% on May 30th.

Keep up the great work. Thank you.

Update: 21st June 2019
The current situation with the BlueKeep vulnerability continues to increase in scope with Windows 2000 and it’s server variants (Windows 2000 Server, Advanced Server and Datacentre Server) now confirmed as vulnerable after the Department of Homeland Security (DHS) created a working BlueKeep exploit. Given that Windows Server 2003 and XP share much of their codebase with Windows 2000; this announcement isn’t entirely surprising. Microsoft separately confirmed there are no plans to issue updates for Windows 2000.

For any business or consumer still using Windows 2000; they have much more than just this vulnerability to be concerned about given that there have been no security updates since July 2010. The advice is as always to upgrade to supported version of Windows:

Thank you.

A BlueKeep short story:
Separately; last weekend I had the opportunity to “practice what I preach” when a friend came to me with a Windows XP laptop dating back to 2008. Surprisingly it was in almost new condition and was remarkably fast to use given it’s age. It had an Intel Core Solo CPU and 2 GB of RAM.

He no longer uses it online preferring an iPad Pro instead but needs to keep it online within his home network to administer his security single CCTV camera using an application (strangely the camera isn’t administered via a web browser). He had heard about BlueKeep and wondered could I patch it for him?

The laptop was connected via Ethernet to his router. I had asked him to send me a photo of the installed programs on the computer to see what I was going to deal with. I found the system had Windows XP SP3 (but no further updates), Office 2007, Adobe Reader 10 and VLC 1.1.5.

The Windows firewall was enabled and set to default settings. I verified using Nmap that port 3389 and other commonly exploitable ports like 445 (SMB) and Telnet (23); weren’t open.

Installed almost 150 updates for Windows XP using Microsoft Update (http://update.microsoft.com) , installed SP3 for Office 2007 and a further 37 updates for it after SP3.

Next, I installed Adobe Reader 11.0.10 and VLC I also installed the 13 updates from Microsoft for Windows XP in 2017 (resolving DoublePulsar and EternalBlue; among others) and finally the BlueKeep security update. In less than 2 hours of me just reviewing the results of update checks and some very quick update installs his system was patched and continued to work perfectly.

From past experience of manually removing malware from really old systems this laptop was far better than expected. All of the updates installed quickly and with no errors. I estimate more than 1000 CVEs were resolved by the updates I installed.

He easily committed to continue not using it for website or email access since his iPad Pro fulfills that role and is faster. He was impressed that the laptop continues to work perfectly despite the vast number of updates it received.

Finally; yes I realize I should suggest upgrading from Windows XP but he doesn’t use the system for online use; just inside his network. His router is adequately protecting his network with it’s settings and most recent firmware updates installed. Given this use case and surrounding infrastructure; I see the risk as minimal. Plus he also told the system doesn’t have important data on it; he just wanted it patched in order to keep using it uninterrupted.

A really good outcome; case closed 😊

Update: 12th June 2019
Install the RDP patch (links below) if you have not already done so. Use the paid-for micropatch if you can’t take a system offline to reboot it. If you can’t do either of these follow Microsoft’s or the NSA’s advice to mitigate the vulnerability.

Microsoft on the 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible.

Meanwhile; multiple proof of concepts of who to exploit the vulnerability have been developed by security researchers:

This story continues with another security researcher creating a proof of concept Metasploit exploit for this vulnerability. The exploit works on Windows XP, Windows 7, Server 2008 and Server 2008 R2. Windows Server 2003 has the RDP vulnerability but the vulnerability couldn’t be exploited.

The NSA have since issued an advisory in addition to the two notifications from Microsoft linked to above.

For systems which cannot spare the down-time needed to reboot after installing the Microsoft patch, a micropatch from 0Patch is available for their Pro version subscribers:

As a proof of concept of how long it may take to patch a system; I used a VMware snapshot taken from a test Windows XP SP3 system I used back in 2012. The installation had no updates apart from SP3. After 40 minutes; all missing patches (2008 – 2014), the updates from 2017 (resolving EternalBlue; amongst others) and this year’s RDP update were installed. Patching the RDP vulnerability took less than a minute (including the restart and start-up of the system).

I repeated the above using the Automatic Updates feature of Windows XP. I was able to full patch the system in 30 minutes.

Systems which are better maintained than this would easily take less time (even if patched manually like I did); especially if tools such as WSUS or SCCM are used where vast number of systems can be patched very quickly.

Thank you.

Original Post: 4th June
Earlier this month Microsoft issued an update to resolve a critical vulnerability in Remote Desktop Services making use of the RDP protocol, port 3389.

TL DR: If you use Windows 7, Windows Server 2008 R2 or Windows Server 2008, if you have not done so already, please install this update. For Windows XP (all versions), Server 2003 (all versions) and Windows Vista; the necessary updates are available here.

Why should this vulnerability be considered important?
As Microsoft reminded us when issuing the patch; this vulnerability requires no authentication or user interaction. It has the potential to spread just like the WannaCry and NotPetya infections did in 2017. Windows 8.1 and Windows 10 (and their Server equivalents) are NOT vulnerable.

Robert Graham from Errata Security on the 28th of May issued a report of the scan results from a widespread scan of the internet. He found approximately 950,000 vulnerable systems.

How can I protect my organisation or myself from this vulnerability?
The easiest method is to install the update available from Microsoft.

For Windows Server 2003, Windows XP and Windows Vista; the update must be manually downloaded and installed from this link below since this update was not made available by the previous automatic mechanisms these versions of Windows had namely, Microsoft Update, Automatic Updates and Windows Update.

If you cannot install this security update; you can protect from this vulnerability by following the Workarounds listed in this link. Further explanation from Microsoft is also available from this link.

Microsoft on the 30th and 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible. Meanwhile; at least proof of concepts of who to exploit the vulnerability have been developed by at least 3 security researchers.

Thank you.

May 2019 Update Summary

Note to my readers:

Due to professional commitments over the last several weeks and for the next 2 weeks; updates and new content to this blog have been and will be delayed. I’ll endeavour to return to a routine manner of posting as soon as possible.

Thank you.

Earlier today Microsoft and Adobe released their monthly security updates. Microsoft resolved 79 vulnerabilities (more formally known as CVEs (defined) with Adobe addressing 87 vulnerabilities.

Adobe Acrobat and Reader: 84x priority 2 vulnerabilities (48x Critical and 36x Important severity)

Adobe Flash: 1x priority 2 vulnerability (1x Critical severity)

Adobe Media Encoder: 2x priority 3 vulnerabilities (1x Critical severity and 1x Important severity)

If you use Acrobat/Reader or Flash, please apply the necessary updates as soon as possible. Please install their remaining priority 3 update when time allows.

For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. All issues however do have at least 1 workaround:

4493730   Windows Server 2008 Service Pack 2 (Servicing Stack Update)

4494440   Windows 10, version 1607, Windows Server 2016

4494441   Windows 10, version 1809, Windows Server 2019

4497936   Windows 10, version 1903

4498206   Internet Explorer Cumulative Update

4499151   Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4499154   Windows 10

4499158   Windows Server 2012 (Security-only update)

4499164   Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

4499165   Windows 8.1 Windows Server 2012 R2 (Security-only update)

4499167   Windows 10, version 1803

4499171   Windows Server 2012 (Monthly Rollup)

4499179   Windows 10, version 1709

4499180   Windows Server 2008 Service Pack 2 (Security-only update)

4499181  Windows 10, version 1703

US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):


A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

For this month’s Microsoft updates, I will prioritize the order of installation below:
Windows RDP: CVE-2019-0708 (also includes an update for Windows Server 2003 and Windows XP)

Scripting Engine: CVE-2019-0924 ,  CVE-2019-0927 , CVE-2019-0922 , CVE-2019-0884 , CVE-2019-0925 , CVE-2019-0937 , CVE-2019-0918 , CVE-2019-0913 , CVE-2019-0912 , CVE-2019-0911 , CVE-2019-0914 , CVE-2019-0915 , CVE-2019-0916 , CVE-2019-0917

Windows DHCP Server: CVE-2019-0725

Microsoft Word: CVE-2019-0953

Microsoft Graphics Component: CVE-2019-0903

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Error Reporting: CVE-2019-0863

Microsoft Advisory for Adobe Flash Player

Microsoft Windows Servicing Stack Updates

For the Intel Microarchitectural Data Sampling (MDS) vulnerabilities, please follow the advice of Intel and Microsoft within their advisories. A more thorough list of affected vendors is available from here.

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

Nvidia Graphics Drivers:
3 security vulnerabilities with the most severe having a CVSS V3 (defined) base score of 7.7 have been resolved within Nvidia’s graphics card drivers (defined) in May. These vulnerabilities affect Windows only. All 3 are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the Nvidia vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use affected Nvidia graphics card, please consider updating your drivers to the most recent available.

VMWare has released the following security advisories:

Workstation Pro:

Security Advisory 1: Addresses 1x DLL hijacking vulnerability (defined)

Security Advisory 2: Addresses 4x vulnerabilities present in Workstation Pro and the products listed below. Please make certain to install Intel microcode updates as they become available for your systems as they become available in addition to these VMware updates:

VMware vCenter Server (VC)
VMware vSphere ESXi (ESXi)
VMware Fusion Pro / Fusion (Fusion)
vCloud Usage Meter (UM)
Identity Manager (vIDM)
vCenter Server (vCSA)
vSphere Data Protection (VDP)
vSphere Integrated Containers (VIC)
vRealize Automation (vRA)

If you use the above VMware products, please review the security advisories and apply the necessary updates.

Thank you.