A remote code execution vulnerability resulting from the use of Remote Desktop Services in old Windows operating systems (Windows XP, Windows 7, Server 2003, Server 2008, and Server 2008 R2) has been discovered this month. This is achieved by connecting to the machine remotely using RDP and then sending crafted requests through this connection.
In Microsoft’s first reference to the flaw they likened it to EternalBlue- the vulnerability exploited in three ransomware outbreaks back in 2017 (WannaCry, NotPetya, and Bad Rabbit) to make the ransomware self-spreadable.
It’s severity rating is 9.8/10 - mitigation of the flaw is critical; recent internet-wide scans performed by Rob Graham of Errata Security found that 950,000 machines exposed to the public internet are still vulnerable to the flaw. If you don’t understand the danger of leaving this backdoor unlocked, then consider the work Microsoft has undertaken to patch this flaw- even out-of-support operating systems such as Windows XP and Windows 2003 have been considered.
Additionally, the potential impact of the flaw has caused enough concern for the NSA (National Security Agency) to issue an advisory urging Windows users to apply the released patches.
Security Researchers have already developed exploits for the vulnerability and released videos showcasing their work- McAfee, for instance, was successful in opening the Windows calculator on the victim machine while Checkpoint and Kaspersky have demonstrated DOS attacks triggering the infamous Windows blue screen of death.
Furthermore, the flaw has also been described as capable of allowing malware to spread between other vulnerable machines on the network (in other words, it’s wormable like WannaCry.)
Technical knowledge on reaching the trigger of the vulnerability is already publicly available and unauthenticated scanners for BlueKeep have been released for public use- threat actors have already been detected scanning Windows machines for BlueKeep.
The consequences of leaving Windows machines vulnerable to this flaw will be severe: attackers could potentially use this backdoor to destroy vulnerable machines via DOS.
They could also steal a company’s assets by remotely running data-stealing malware at system level or infecting a device with ransomware.
As this is also a wormable bug, attackers have the capability to corrupt an entire network of nodes with this vulnerability present.
Companies with vulnerable machines have been advised to disable RDP services if they are not required or to immediately apply the relevant patches released by Microsoft.
If the above isn’t possible, RDP should be configured to only be accessible via a VPN or other devices on the network. Blocking RDP port 3389 at the perimeter firewall -or perhaps filtering it- is also recommended. Enabling NLA will also partially mitigate this vulnerability as this means attackers will also require valid credentials to attack the system.
Can Windows RDP Service Be Trusted?
Unfortunately, this is only one of the more concerning vulnerabilities recently discovered in Windows RDP- on the same day of the NSA’s advisory on BlueKeep, experts from the CERT Coordination Center at the Carnegie Mellon University disclosed information on yet another flaw in Windows RDP services (tracked as CVE-2019-9510) that could be used to hijack existing RDP sessions and gain access to the vulnerable machine.
This vulnerability exists within Windows 10 1803 and Server 2019 and can be exploited by interrupting the network connectivity of the RDP client system: if a temporary RDP disconnect occurs, the session is restored to an unlocked state.
Essentially, an attacker could have access to the remote machine if network connectivity dropped while the authenticated user was away from their system (and they have a remote session open, of course.)
With the various backdoors being discovered within Windows operating systems, it is likely that machines running this OS will be heavily targeted by cybercriminals soon.
These are also not the only two vulnerabilities of Windows machines- Windows XP, Windows Vista, Windows 2000, Windows 7, Windows Server 2012,Windows Server 2016, Windows 8.1, Windows Rt 8.1 and Windows 10 are all included in CVE’s list of Top 50 Products By Total Number Of "Distinct" Vulnerabilities- the most vulnerable being Windows Server 2008 with a total of 1268 known vulnerabilities.
If you’ve been wondering when to schedule your next penetration test - and your network includes Windows based nodes - the time is now.