Updated, 5/31/19, 6:50am PT: Microsoft issued a second warning about the Bluekeep vulnerability noting that, in addition to the roughly 1 million internet-connected systems affected by the security flaw, there could be many more computers inside corporate networks that are also vulnerable to Bluekeep. Even if those systems are not exposed directly to the internet themselves, a Bluekeep-enabled worm could propagate to them from systems that are. The company once again urged everyone to update their systems with the latest patches without delay.
Original, 5/29/19, 11:10am PT:
Security expert Robert Graham revealed that almost 1 million systems could be affected by a vulnerability in the Windows Remote Desktop Protocol (RDP), given the identifier CVE-2019-0708, that could be used to create worms that automatically spread from one vulnerable computer to another.
On May 14, Microsoft wrote on its blog that the RDP flaw was a critical Remote Code Execution vulnerability that requires no user action to be used by the attackers. The bug exists pre-authentication into the RDP protocol, which means that it’s wormable and an attacker could use it to propagate their malware from computer to computer.
Graham said that the new RDP vulnerability has the potential to be weaponized by cyber criminals and make it as dangerous as the WannaCry and NotPetya malware, helped by leaked NSA tools, have ever been. The researcher argued that it could become even more dangerous now that cyber crime groups have honed their skills in using this type of vulnerability for ransomware or other such malicious uses.
Graham used masscan, an Internet-scale port-scanning tool he developed himself, to look for port 3389, the one used by RDP. He found over 7 million results, but of those only about 950,000 were vulnerable to the RDP flaw Microsoft recently announced.
Vulnerable operating systems that are still supported by Microsoft include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Windows XP and Windows 2003 are no longer officially supported by Microsoft, but the company has made a patch available for these systems anyway; it’s one of the few times Microsoft has done this in the past few years, and the vulnerability that allowed WannaCry to happen was one of those times, too.
Microsoft noted that Windows 8 and Windows 10 machines are partially protected against any potential worms that could be created with the help of this vulnerability due to these operating systems benefiting from a new mitigation called Network Level Authentication (NLA).
This feature simply requires a user to authenticate before establishing an RDP sessions. However, Microsoft warned that attackers with valid credentials could still abuse the vulnerability to cause some damage inside computer networks. Therefore, the company is recommending all Windows users to update their systems as soon as possible.