Tag Archives: Windows Server 2008

Microsoft re-issues warning to patch BlueKeep Vulnerability

=======================
Update: 30th June 2019
=======================
A Microsoft employee (Raviv Tamir, Group Program Manager, Microsoft Threat Protection) has provided an update on the global status of patching the BlueKeep vulnerability. The most recent update is from 20th June; at 83.4% coverage an increase from 72.4% on 5th June and 57% on May 30th.

Keep up the great work. Thank you.

=======================
Update: 21st June 2019
=======================
The current situation with the BlueKeep vulnerability continues to increase in scope with Windows 2000 and it’s server variants (Windows 2000 Server, Advanced Server and Datacentre Server) now confirmed as vulnerable after the Department of Homeland Security (DHS) created a working BlueKeep exploit. Given that Windows Server 2003 and XP share much of their codebase with Windows 2000; this announcement isn’t entirely surprising. Microsoft separately confirmed there are no plans to issue updates for Windows 2000.

For any business or consumer still using Windows 2000; they have much more than just this vulnerability to be concerned about given that there have been no security updates since July 2010. The advice is as always to upgrade to supported version of Windows:

Thank you.

=======================
A BlueKeep short story:
=======================
Separately; last weekend I had the opportunity to “practice what I preach” when a friend came to me with a Windows XP laptop dating back to 2008. Surprisingly it was in almost new condition and was remarkably fast to use given it’s age. It had an Intel Core Solo CPU and 2 GB of RAM.

He no longer uses it online preferring an iPad Pro instead but needs to keep it online within his home network to administer his security single CCTV camera using an application (strangely the camera isn’t administered via a web browser). He had heard about BlueKeep and wondered could I patch it for him?

The laptop was connected via Ethernet to his router. I had asked him to send me a photo of the installed programs on the computer to see what I was going to deal with. I found the system had Windows XP SP3 (but no further updates), Office 2007, Adobe Reader 10 and VLC 1.1.5.

The Windows firewall was enabled and set to default settings. I verified using Nmap that port 3389 and other commonly exploitable ports like 445 (SMB) and Telnet (23); weren’t open.

Installed almost 150 updates for Windows XP using Microsoft Update (http://update.microsoft.com) , installed SP3 for Office 2007 and a further 37 updates for it after SP3.

Next, I installed Adobe Reader 11.0.10 and VLC 3.0.7.1. I also installed the 13 updates from Microsoft for Windows XP in 2017 (resolving DoublePulsar and EternalBlue; among others) and finally the BlueKeep security update. In less than 2 hours of me just reviewing the results of update checks and some very quick update installs his system was patched and continued to work perfectly.

From past experience of manually removing malware from really old systems this laptop was far better than expected. All of the updates installed quickly and with no errors. I estimate more than 1000 CVEs were resolved by the updates I installed.

He easily committed to continue not using it for website or email access since his iPad Pro fulfills that role and is faster. He was impressed that the laptop continues to work perfectly despite the vast number of updates it received.

Finally; yes I realize I should suggest upgrading from Windows XP but he doesn’t use the system for online use; just inside his network. His router is adequately protecting his network with it’s settings and most recent firmware updates installed. Given this use case and surrounding infrastructure; I see the risk as minimal. Plus he also told the system doesn’t have important data on it; he just wanted it patched in order to keep using it uninterrupted.

A really good outcome; case closed 😊

=======================
Update: 12th June 2019
=======================
TL DR:
Install the RDP patch if you have not already done so. Use the paid-for micropatch if you can’t take a system offline to reboot it. If you can’t do either of these follow Microsoft’s or the NSA’s advice to mitigate the vulnerability.
=======================

Microsoft on the 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible.

Meanwhile; multiple proof of concepts of who to exploit the vulnerability have been developed by security researchers:

This story continues with another security researcher creating a proof of concept Metasploit exploit for this vulnerability. The exploit works on Windows XP, Windows 7, Server 2008 and Server 2008 R2. Windows Server 2003 has the RDP vulnerability but the vulnerability couldn’t be exploited.

The NSA have since issued an advisory in addition to the two notifications from Microsoft linked to above.

For systems which cannot spare the down-time needed to reboot after installing the Microsoft patch, a micropatch from 0Patch is available for their Pro version subscribers:

As a proof of concept of how long it may take to patch a system; I used a VMware snapshot taken from a test Windows XP SP3 system I used back in 2012. The installation had no updates apart from SP3. After 40 minutes; all missing patches (2008 – 2014), the updates from 2017 (resolving EternalBlue; amongst others) and this year’s RDP update were installed. Patching the RDP vulnerability took less than a minute (including the restart and start-up of the system).

I repeated the above using the Automatic Updates feature of Windows XP. I was able to full patch the system in 30 minutes.

Systems which are better maintained than this would easily take less time (even if patched manually like I did); especially if tools such as WSUS or SCCM are used where vast number of systems can be patched very quickly.

Thank you.

=======================
Original Post: 4th June
=======================
Earlier this month Microsoft issued an update to resolve a critical vulnerability in Remote Desktop Services making use of the RDP protocol, port 3389.

TL DR: If you use Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 or Windows XP, if you have not done so already, please install this update.

Why should this vulnerability be considered important?
As Microsoft reminded us when issuing the patch; this vulnerability requires no authentication or user interaction. It has the potential to spread just like the WannaCry and NotPetya infections did in 2017. Windows 8.1 and Windows 10 (and their Server equivalents) are NOT vulnerable.

Robert Graham from Errata Security on the 28th of May issued a report of the scan results from a widespread scan of the internet. He found approximately 950,000 vulnerable systems.

How can I protect my organisation or myself from this vulnerability?
The easiest method is to install the update available from Microsoft.

For Windows Server 2003 or Windows XP and Windows Vista; the update must be manually downloaded and installed from this link below since this update was not made available by the previous automatic mechanisms these versions of Windows had namely, Microsoft Update, Automatic Updates and Windows Update.

If you cannot install this security update; you can protect from this vulnerability by following the Workarounds listed in this link. Further explanation from Microsoft is also available from this link.

Microsoft on the 30th and 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible. Meanwhile; at least proof of concepts of who to exploit the vulnerability have been developed by at least 3 security researchers.

Thank you.

Responding to Wana Decrypt0r / WanaCrypt0r Infections

As I am sure you are aware earlier this week a new variant of ransomware named WanaCrypt0r began to infect many systems worldwide using the vulnerability patched in March 2017. The infections were especially severe in the UK (hospitals were affected), Spain (banks, the ISP Telefonica and gas/electricity providers) among many others. The infections were spreading in a worm (defined) like fashion.

The ransomware uses the vulnerability exploited by the “Eternal Blue” exploit patched by Microsoft in Mach by their MS17-010 update. This exploit uses the SMBv1 (defined) protocol to enter a vulnerable system over port 445 (when that port is accessible from the internet). In some instances the CERT of Spain have observed the exploit installing the DoublePulsar malware on the already infected system. A live map of this malware’s global infections is available here. Once the malware obtains access to your system it installs the WanaCrypt0r ransomware to encrypt your files. As detailed by BleepingComputer it also terminates active databases and email servers so that it can encrypt them also.

On the 12th of May, the spread of the malware was temporarily halted by the actions of the malware researcher known as MalwareTech. They registered a website domain the malware checks if it exists while installing itself on your system. If it exists, it halts its installation and doesn’t encrypt your data (acting like a “kill switch”). I use the word temporary above since as the researcher points out all the malware authors need to do is to choose a different domain and re-release the updated malware (or worse they could use a domain generation algorithm (DGA)(defined) to make registering the websites by researchers even harder). The purpose of the malware checking if this domain was registered is to check if it is running inside a malware sandbox (defined).

How can I protect myself from this threat?
If you have not already done so, please install the MS17-010 security update (released in March 2017) on your Windows based servers and workstations. Researchers are simply saying “patch your systems” and that is what they mean. Microsoft discusses this advice in more detail in their MSRC blog post.

=======================
Note:
=======================
A full list of the versions of Windows affected by vulnerabilities patched within MS17-010 is provided at the end of this post.

If you are not sure how to update your systems, the following links below will assist if you are consumer/small business. Larger corporations should check with their IT team/system administrators install this update. If you can, please install all other remaining security updates:

Windows Vista
http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off

Windows 7
http://windows.microsoft.com/en-US/windows7/products/features/windows-update

Windows 8.1
http://windows.microsoft.com/en-us/windows-8/windows-update-faq

Windows 10
http://pcsupport.about.com/od/keepingupwithupdates/f/windows-updates.htm

Microsoft have since released the MS17-010 update for all other remaining out of support Windows systems namely Windows XP, Windows Server 2003 and Windows 8.0. They are available as direct downloads from their MSRC blog post. I checked earlier today and these updates were not being offered by Windows Update and Automatic Updates for those older versions of Windows, please obtain the updates directly from their MSRC blog post.

While the “kill switch”for this malware was used (as mentioned above), it is very likely to return in the future. The steps below will better prepare you now and for the future.

I am aware Windows Vista is out of support at this time but it was supported when the MS17-010 update was released.

=======================
Update: 15th May 2017:
=======================
It is appears a new variant (Uiwix) of this threat is now circulating which does not have a kill switch. This variant does not appear to spread using a different vulnerability. Other variants are currently in-progress.

=======================
Update: 18th May 2017:
=======================
As mentioned above, newer variants of this malware are being made available. They exploit the same vulnerability as WannaCry but don’t spread in a worm like fashion.

I would suggest installing the MS17-010 as soon as possible since further ransomware is likely to capitalise on many devices (approximately 1 million still exposing the SMB protocol to the internet, with roughly 800k being Windows devices).

Moreover, the ShadowBrokers may release more exploits next month (and continue to do so on a regular basis) but this time we are unlikely to have security updates ready for them. My advice is to be prepared in June.

Thank you.
=======================

=======================
Update: 21st May 2017:
======================
The Eternals Rocks worm is now also spreading by exploiting exposed systems over SMB. The advice below to block installation of WannaCrypt should prevent infection of your systems. At this time, the worm is not carrying out malicious actions with infected devices. Instead it is setting up a C&C (C2)(defined) infrastructure and may leverage this for malicious actions in the future.

=======================
Bayer healthcare equipment was confirmed affected by WannaCry but service was restored in less than 24 hours. Other manufacturers have also issued security advisories:

Siemens

Smiths Medical

Medtronic

Johnson & Johnson

=======================
The US ICS CERT have issued an alert with recommendations for critical infrastructure devices. Affected vendors include those mentioned above and GE, Philips, Tridium, Emerson Automaton Solutions, Schneider Electric (among others).

Please note the above link for the ICS CERT advisory is https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01D If this advisory is updated it will become https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01E Further updates will change the final letter to F, G and so on.

=======================
ICS CERT also issued an FAQ on WannaCry which you may find useful.
=======================

Additional advice/considerations:
At this time there is no known way to decrypt your files if you have been effected by the WanaCrypt0r ransomware. If you have the option of restoring your files from a backup, please do so. Your only other option is discussed by BleepingComputer at the end of this article.

If you followed the advice earlier in the week and turned off your systems before they were infected, that was a wise precaution. However when you power them back on you will need to avoid them becoming infected before you can secure them. A French security researcher had a honeypot (defined) of theirs infected 6 times in 90 minutes.

If you can segregate your vulnerable devices (including devices within your network perimeter) so they don’t expose the following ports:

  • TCP port 445 with related protocols on UDP ports 137-138
  • TCP port 139
  • Also disable SMBv1 (it’s a deprecated protocol)
  • Please also block the Remote Desktop Protocol (RDP) port 3389 (defined) at the entry point to your corporate to prevent the spread of this malware as recommended by the US CERT.

Once you have updated your Windows devices against this vulnerability, please by all means resume normal operations but follow the advice of the US CERT and avoid having the SMB port exposed to the internet going forward as a defense in-depth measure (defined)(PDF).

Other recommendations are as follows:

  • It’s important to understand, installing the update mentioned in this post will protect your Windows systems from spreading the ransomware to other systems. If you click on a link in a suspicious email (or another source) the ransomware may still be downloaded but will only encrypt/effect your system.
  • For any critical systems, ask if they really need to be connected to the internet or not? Avoid unnecessarily connecting them.
  • Provide your staff with security awareness training (defined)(PDF). This will prevent this malware infecting your systems by means of phishing (defined) (which can still encrypt your data even if you have installed the above recommended security update, that update only blocks the spreading of the infection). According to the US CERT and HelpNetSecurity this advice isn’t confirmed but it will not reduce your protection.
  • Verify your organization can recover from a ransomware attack like this as part of your Business continuity process (BCP)(defined)(PDF).
  • If you have an incident response team, verify their standard response process against a ransomware attack like this to ensure it is fit for purpose.

Thank you.

 

=======================
Affected Windows versions:
=======================
While the MS17-010 security bulletin lists which versions of Windows are vulnerable to this ransomware, I have listed them all below (this applies to all 32 and 64 bit versions of Windows listed below):

Windows XP (with Service Pack 3)

Windows Server 2003 (with Service Pack 2)

Windows Vista (with Service Pack 2)

Windows Server 2008 (with Service Pack 2)

Windows Server 2008 (with Service Pack 2)(Server Core installation)(defined)

Windows 7 (with Service Pack 1)

Windows Server 2008 R2 (with Service Pack 1)

Windows Server 2008 R2 (with Service Pack 1)(Server Core installation)

Windows 8.0

Windows 8.1 (with 8.1 Update (April 2014))

Windows Server 2012

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Core installation)

Windows RT 8.1

Windows 10 Version 1507

Windows 10 Version 1511

Windows 10 Version 1607

Windows Server 2016

Windows Server 2016 (Server Core installation)