Microsoft issued a second warning to older Windows patch users to prevent potential attackers from exploiting the Remote Desktop Services (RDS) remote code execution vulnerability called BlueKeep.
The first time, Microsoft released a security solution designed to protect Windows computers from vulnerable RDS installations and blocks any malware capable of exploiting the flaw tracked as CVE-2019-0708 and spreading between unpatched machines.
Comparison with EternalBlue and WannaCry
This second time, Redmond's recommendation remains the same. We strongly recommend that all affected systems be updated as soon as possible. We may see this vulnerability built into the malware. But that's not the way to bet. "
To show how quickly a serious vulnerability could lead to very serious consequences, Simon Pope, Director of Response Incidents Microsoft Security Response Center (MSRC), in parallel to the exploitation time line of the vulnerability of EternalBlue.
According to Pope, even though users had almost 60 days of patches after Microsoft issued a security update for SMBv1 vulnerabilities, the machines were unpatched, which led to their becoming infected with ransomware after the ShadowBrokers published publicly. the EternalBlue worm attack in April 2017..
A month later, in May 2017, hundreds of thousands of Windows machines exposed were compromised with the exploitation of EternalBlue and later became infected with the WannaCry ransomware.
Finally, use the RDP protocol to make a POC CVE-2019-0708 independent in python: D pic.twitter.com/wvfoOStiGk
– MalwareTech (@MalwareTechBlog) May 24, 2019
As part of the initial warning, Microsoft said that "the vulnerability is" wormable ", and that future malicious software that exploits this vulnerability could spread from a vulnerable computer to a vulnerable one in a similar way to the WannaCry malware that extended through everyone in 2017. "
Microsoft is now reminding all users of previous versions of Windows affected by the vulnerability (supported versions (Windows 7, Windows Server 2008 R2 and Windows Server 2008) and unsupported versions (Windows XP and Windows 2003)) To patch their systems as soon as possible.
"Microsoft is confident that there is a vulnerability to this vulnerability, and if recent reports are accurate, almost a million computers are directly connected to the Internet and are still vulnerable to CVE-2019-0708, many more within corporate networks can also be vulnerable, "says Papa.
The download links of security patches for all vulnerable systems are available below:
The 0patch platform also issued a solution for BlueKeep, in the form of a 22-instruction micropatch that can be used to protect the always-on servers against exploitation attempts without having to restart the machines.
BlueKeep can also be partially mitigated by enabling network level authentication (NLA) for connections of remote desktop services on vulnerable systems. Despite this, attackers could still abuse the RCE if they already have the necessary credentials to authenticate to a vulnerable system where RDS is enabled.
A security update that addresses CVE-2019-0708 was launched on May 14, 2019, but recently public reports indicate that nearly one million computers are still vulnerable.
Microsoft strongly recommends that all affected systems be updated as soon as possible. https://t.co/lRaCfWgivs
– Security response (@msftsecresponse) May 31, 2019
Explosions of PoC already available
A patch on all vulnerable machines is a need to see that more and more PoC farms are emerging, as the Pope says: "It has been only two weeks since the solution was released and there are still no signs of a worm. we are out of danger. "
Multiple security researchers have already created proof of concept attacks, although none of them has publicly released the code, and chooses to show only video evidence to make sure that the malicious actors are in their hands and easy to put together the PoC code for the BlueKeep failed.
For example, researchers from Check Point duck Kaspersky have developed a DoS concept test code that leads to Blue Screens of Death (BSOD), and laughter also has "detection strategies developed for exploitative attempts" that will be shared "with trusted industry partners".
In addition, Zerodium confirmed that BlueKeep can be exploited remotely without needing a day after Microsoft issued its patch.
Only three days later, security researcher. Valthek also announced who created his own version of the BlueKeep PoC exploit, which was confirmed later as a work poC in McAfee's principal lead engineer, Christiaan Beek.