A million devices still vulnerable to ‘wormable’ RDP hole
BlueKeep is better known as CVE-2019-0708, a vulnerability that Microsoft announced in its May Patch Tuesday release that affects Windows Remote Desktop Services, accessible via the rdp protocol. It allows for remote code execution and is wormable, meaning that a compromised Windows machine could seek out and infect other vulnerable devices with no human interaction. Worms can spread quickly online, as we saw with the WannaCry ransomware exploit in 2017.
BlueKeep affects Windows XP, Vista, and 7 machines, but not Windows 8 or 10 boxes. The older versions make up around 35% of Windows installations, according to Statcounter. The flaw also affects Windows Server 2003 and 2008.
Security researcher Rob Graham ran a two-part scanning project to find out how many machines were vulnerable to this worrying flaw. He began by scanning the entire internet using the mass-scanning tool to find all devices responding on port 3389, the port most commonly used with RDP.
Then, he honed the results by forking a BlueKeep scanner project that ended up in the Metasploit pen testing tool last week. His fork created rdpscan, a tool designed to quickly iterate over a large set of addresses looking for Windows boxes vulnerable to BlueKeep exploits.
He did this over Tor, but says he probably wasn't the person who caused a spike in RDP scans via the anonymous onion routing service last week:
GreyNoise is observing sweeping tests for systems vulnerable to the RDP “BlueKeep” (CVE-2019-0708) vulnerability fr… twitter.com/i/web/status/1…
GreyNoise Intelligence (@GreyNoiseIO) May 25, 2019
That's far more systems vulnerable to BlueKeep than there vulnerable to the flaw that enabled WannaCry to spread around the globe in a day.
Kevin Beaumont, the security researcher who gave BlueKeep its nickname, pointed out that the number of machines exposed to the internet via RDP is just be the tip of the iceberg:
Spoiler: it will be way, way higher when you get to systems inside organisations.
Kevin Beaumont (@GossiTheDog) May 28, 2019