Close to a million Windows PCs at risk from BlueKeep vulnerability

Exploits (may) be coming

Nearly a million Windows machines are vulnerable to the recently patched BlueKeep vulnerability in Remote Desktop Services (RDS), according to results of an internet-wide scan.

Rob Graham of Errata Security discovered that a total of 950,000 machines vulnerable to BlueKeep (CVE-2019-0708) are exposed to the public internet.

Some of these machines might be honeypots, but it’s unlikely that anything more than a small number of systems will fall into this category, Graham reasons.

The exercise made no attempt to estimate the much higher number of unpatched Windows machines that have no publicly accessible internet services and are therefore far less at risk.

Microsoft took the highly unusual step of warning that the security bug in RDS could lend itself to exploitation to a WannaCry-style worm, at the same time it patched it earlier this month.

The infosec world has been rife with speculation about how far along hackers were in the process of developing a workable exploit, as well as the extent of potential problems ever since.

Fortunately, an exploit is yet to surface.

“There is limited scanning for BlueKeep vulnerability,” UK infosec practitioner Kevin Beaumont noted. “[But] there is no public remote code execution PoC.”

“There’s a couple of public blue screen proof of concepts for this now. Haven't seen any used in wild yet. They do not allow code execution,” he added.

Trend Micro has put together an in-depth technical analysis of CVE-2019-0708.

Risk scoping

Graham sought to answer the question of how much damage might follow the creation of a worm that exploited BlueKeep – in other words, what’s the size of the potential problem?

In a blog post, Graham explains that he started his research exercise by using Masscan, an internet-scale port scanner he previously developed, looking for port 3389, as used by RDS, to draw up a list of devices running Remote Desktop that were also accessible on the public internet.

This scan returned over seven million results.

Stage two of the process involved optimizing a third-party Remote Desktop patch testing tool project to create a utility called rdpscan (which sysadmins might use to scan their own network, using software uploaded to GitHub).

“The upshot is that these tests confirm that roughly 950,000 machines are on the public internet that are vulnerable to this bug,” Graham concludes.

“Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines.”

Enterprises should apply Microsoft’s patches, including old Windows XP, Windows Vista, and Windows 7 desktops and servers, as well as (more importantly) auditing their network to make sure that if a worm did infected a host, then any spread would be contained.

This latter network spreading threat was exposed by the infamous NotPetya worm, which hit in June 2017 and spread like wildfire across the systems of shipping giant Maersk and many others, rendering computers unusable and interrupting business as a result.