Almost 1 Million Windows Devices Still Vulnerable to Microsoft BlueKeep RDS Flaw

More than two weeks after Microsoft issued a patch for a critical, wormable flaw in Remote Desktop Services, nearly 1 million devices have yet to have the patch applied and remain vulnerable. Those devices have also not had the recommended mitigations implemented to reduce the potential for exploitation of the flaw.

The vulnerability – CVE-2019-0708 – can be exploited remotely with no user interaction required and could allow a threat actor to execute arbitrary code on a vulnerable device, view, change, or delete data, install programs, create admin accounts, and take full control of the device. It would also be possible to then move laterally and compromise other devices on the network. Microsoft has warned that the vulnerability could be exploited via RDP and could potentially be used in another WannaCry-style attack.

Microsoft released patches for the vulnerability on May 14 and, due to the seriousness of the flaw, the decision was taken to also release patches for unsupported Windows versions. The flaw affects Windows XP, Windows 7, Windows 2003, Windows Server 2008, and Windows Server 2008 R2. Patches are available for all vulnerable systems.

Microsoft also detailed mitigations that could be implemented if the patch could not be promptly applied.

  • Disable RDP from outside the organization and limit its use internally
  • Block TCP port 3389 at the firewall
  • Implement Network Level Authentication (NLA)

Due to the seriousness of the flaw, Robert Graham of Errata Security conducted a scan to determine how many devices had not yet been patched. Graham used a masscan port scanner and an additional scanning tool to scan the internet to identify systems that were still vulnerable to the BlueKeep vulnerability. 7 million systems were identified that had port 3389 open and 950,000 of those systems had not had the patch applied. All of those systems are vulnerable to attack and if a worm-like exploit is developed, every one could be compromised.

While an exploit for the vulnerability does not appear to be in use in the wild as of yet, it is only a matter of time before one is developed and used to attack vulnerable devices. Several security firms claim to have already developed a workable exploit for the vulnerability, although they have not released that exploit publicly.

Graham has predicted an exploit will be developed by a threat actor and used in real world attacks in the next couple of months, although attacks could take place much sooner. Some evidence has already been found which suggests hackers are already searching for vulnerable devices. GreyNoise Intelligence identified several dozen hosts that are being used to scan the internet for unpatched devices.

All it takes is for one device to remain vulnerable to give an attacker a foothold in the network, after which many more devices could be compromised even if they are not vulnerable to BlueKeep.

Any healthcare organization that has yet to apply the patch or implement the recommended mitigations should do so as soon as possible to prevent the vulnerability being exploited.

Opatch has also released a micropatch that can be applied to always-on servers which means they can be protected without having to reboot the servers.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.