BlueKeep Worm

[Asphyxia]

Uh, I mean F**K!

This vulnerability in Remote Desktop Services (aka Terminal Services) could allow an attacker to execute arbitrary code on a target system by sending specially crafted requests. Once exploited, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Anyone hear of BlueKeep? This is going to be the next large worm to hit Windows. If you are a server admin and ever use RDP (Remote Desktop Protocol) on port 3389 you should go run and check yourself RIGHT NOW.

How?
There are three main options including

• https://github.com/Ekultek/BlueKeep
• https://github.com/zerosum0x0/CVE-2019-0708
• https://github.com/robertdavidgraham/rdpscan/files/3242730/rdpscan-windows.zip (rdpscan found 900,000+ vulnerable systems)

Now keep in mind Rapid7 makes awesome software (not a sales employee, no ref-links). Anywho, the Metasploit module by zerosum0x0 (and JaGoTu, SUNET) above has been pulled to rapid7:master.

Not sure if InsightVM detects this yet but may in the near future.

BUT HOW DO I PATCH THIS?
Windows 7 and Server 2008 or download the 'monthly rollup' or the 'security only' update.
Windows XP, Vista, Server 2003, and XP Embedded here.

The wormable vulnerability does not affect Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012. Instead, it affects older OSs like Windows XP. If this reminds you of WannaCry, it’s because WannaCry was also prevalent in machines running Windows XP and other earlier versions.

Interestingly, this is the second time Microsoft has released a patch for end-of-life Windows XP versions. The only previous time was a patch for MS17-010, which prevents the EternalBlue exploit and others of that family. EternalBlue was the mechanism WannaCry used to propagate into a global attack.

To help organizations determine their exposure, RiskSense Senior Security Researcher Sean Dillon (@zerosum0x0) has worked with JaGoTu (@JaGoTu) to create a Metasploit plugin to scan for this new Microsoft vulnerability. It scans for the vulnerability, but does not exploit it, to help you determine what exposure you might have.

 

[User_75425]

That's a bit of a late news.

 

[Flare]

Thanks for letting us know!

 

[Asphyxia]

That's a bit of a late news.

Not really, the working RCE PoC (Proof-of-Concept) was just published 4 days ago.

https://twitter.com/x/status/1135866953996820480

Not sure why people complain about free security alerts but whatever.

I summarized this pretty damn well including 3 main scanners.

 

[fourwind]

To be fair, whoever is running a RDP Server via Net is quite retarded anyways. The ammount of CVEs is isane over the last couple of years.

 

[Asphyxia]

whoever is running a RDP Server via Net is quite retarded anyways

Keep in mind some people have shitty outdated PHP servers that get shelled, then an attacker can execute attacks against the RDP which may be internal into a local server for example.

So while RDP may not be publicly facing, other type of shit can happen from pivoting and "shit happens".

Be thankful you have never worked at a hospital protecting computer systems with embedded XP all over and similar such nonsense.

Can you imagine dealing with ransomware worms in a hospital setting while protecting lives by securing systems - hah?

 

[DanyB]

Thanks a lot Asphyxia!

 

[User_75425]

Not really, the working RCE PoC (Proof-of-Concept) was just published 4 days ago.

https://twitter.com/x/status/1135866953996820480

Not sure why people complain about free security alerts but whatever.

I summarized this pretty damn well including 3 main scanners.

Good sysadmins have already patched that. Bad sysadmins are just bad sysadmins. Whoever is running RDP open to whole WWW is just an idiot waiting to be screwed.

I don't complain, I appreciate giving the notice to everyone else who is still not aware, I just wanted to point out it's not something new and mostly everyone should have this patched as it is last month rollup especially when it's major vulnerability and this things are/should be patched extremely fast.

Also you could add notice, that this vulnerability is possible to exploit only on hosts not using NLA (Network Level Authentication).

Could've written that earlier, sorry about that.

Cheers,
CTH

 

[Asphyxia]

Good sysadmins have already patched that.

Have you ever stepped into a server farm for someone else or at least a data center of sorts?

You have maybe ~50 servers facing the “WWW” (external network) while you could be dealing with hundreds of internal network devices from IoT (cameras, smart locks, etc) that beacon off to China like they are already C2 infected.. through.. all levels of configured (and misconfigured) Linux, Windows. Now keep in mind not everyone wants you to have authentication turned on to their machine so you may only be able to get an outside look at some devices/servers.

While I can appreciate your expectations of system admins being high, there would not be almost 1,000,000 public (external network devices) facing the entire Internet if a “good sysadmin” was something everyone wanted to be.

Lastly, keep in mind sometimes politics get involved. For example let’s say you work in China and your boss yells pissed off, “Ching Ling, I told you I need Remote Desktop (RDP/3389) turned on to check my email on the server. That is how I want to run this damn business.”... When “No” could mean you are fired and becoming worm infected could, well maybe also mean you get fired. Also sometimes a sysadmin retires and you have just a server observer practically. The tools I mentioned could all help and instead of saying “firewall off port 3389”, I gave the simplest and most direct security fix. Patch now and obviously patch often. Which makes me also think, sometimes patches get disabled for business needs.

With your mentality though, TeamSpeak software developers suck REALLY TERRIBLY BAD for allowing executable files to be cached right to Windows startup. We are not being cocky though and understand security is not 1-2-3. Sometimes you need a security team to scan, patch, and place preventive security controls. Balancing all of this while meeting business needs of 0 downtime is a fun challenge. If you get a window of time for patching, consider yourself lucky as a leprechaun.

Also if someone is going to use RDP with net auth (which I agree with), really might as well just use an alternative form of remote administration like TeamViewer or Zoho Assist.

Microsoft has a lot of wormy stuff built right in. Let a development team that focuses 100% on secure remote administration run that?