BlueKeep is a software vulnerability affecting older versions of MS Windows. It poses a significant risk because it attacks the Operating System’s RDP Protocol (Port 3389). An attacker who successfully exploits this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. 

Who’s vulnerable?

A good resource to check how many hosts are vulnerable is the Shodan search engine. If you aren’t aware of what Shodan is, it’s essentially a search engine for internet connected devices. It allows users to query devices on the internet using defined search parameters. Shodan can give us good insights into what vulnerabilities exist on specific hosts, or ports. 

With all that being said, let’s use Shodan to query what hosts on the internet are publicly exposed to the bluekeep vulnerability (CVE-2019-0708). To be clear, these are the publicly accessible hosts available to the Shodan engine. 

SHODAN CLI - Querying the number of publicly available hosts vulnerable to the BlueKeep vulnerability.

That’s over 450k hosts which are potentially vulnerable to BlueKeep, the exact number is ‘452225’ (Top Line). The country most affected appears to be china, with the US following suit. 

Most affected cloud hosting providers. (Top 20):

SHODAN CLI - Querying the number of publicly available hosts vulnerable to the BlueKeep vulnerability, hosted in the cloud.

Total number of accessible RDP ports. (Port 3389):

There isn’t exact number of total vulnerable hosts globally available to query, the hosts behind myriads of security equipment are still not fully accounted for. Several security researcher teams have made estimates of total hosts currently vulnerable, the numbers range from 500,000 all the way up to 972,000 (BitSight – Vulnerable BlueKeep Hosts)

How does these numbers compare to the current standing for MS17-010? (Wannacry/EternalBlue/DoublePulsar). Well shodan states that only 15,745 hosts are vulnerable to MS17-010 globally.

You might be wondering why I am comparing the BlueKeep vulnerability to WannaCry, good question actually. Many security researchers and businesses believe BlueKeep has the potential to have similar effects to the WannaCry worm, providing a worm exploit is created for BlueKeep in the near future. It is alarming to consider the current number of hosts that are vulnerable to BlueKeep, especially when you take into account the devastating effects of WannaCry across the globe. The NHS for example, lost approximately 92 million pounds dealing with the aftermath of the worm. (WannaCry cyber attack cost the NHS £92m)

What operating systems are affected?

  • Windows XP
  • Windows Server 2008.
  • Windows Server 2008 R2.
  • Out-of-support systems:
    • Windows 2003.
    • Windows XP.

What about working public exploits?

SophosLabs provided a working exploit and uploaded a proof of concept on the vimeo platform, dated June 27, 2019 . (Seen below)

SophosLabs BlueKeep (CVE-2019-0708) exploit proof-of-concept from Sophos on Vimeo.

Metasploit

Metasploit released a weaponized exploit for the BlueKeep Windows vulnerability on September 6th, 2019 – Metasploit-Bluekeep

Searchsploit

What can be done to mitigate the effects of this vulnerability?

  • Install the latest patches released by Microsoft, they can be found here
  • Enable Network Level Authentication on the RDP service, NLA is is a feature of Remote Desktop Services (RDP Server) or Remote Desktop Connection (RDP Client) that requires the connecting user to authenticate themselves before a session is established with the server.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.