Note: This is a TLP WHITE intelligence update from the H-ISAC Threat Intelligence Committee (TIC).
More detailed TLP AMBER information is available for members on the secure Member Portal.

 

H‐ISAC TIC Vulnerability Bulletin

Date: 6/17/2019 (originally issued 5/14/2019)

TLP – WHITE

Event: Update: CVE‐2019‐0708 Remote Desktop Services Remote Code Execution Vulnerability

 

Summary:

On May 14th, 2019 Microsoft released a security advisory1 and patches for the CVE‐2019‐0708 “Remote Desktop Services Remote Code Execution Vulnerability” now commonly known as “BlueKeep”. The vulnerability affects RDP services for Windows 2000, Windows XP, Server 2003, Vista, Server 2008, 7, and Server 2008 R2. It’s likely that it also affects Windows CE and older operating systems. It does NOT affect Windows 8, Server 2012, and newer operating systems. It can be exploited remotely, in default configuration, and without any authentication or user interaction. We assess that this vulnerability is high risk to all H‐ISAC member organizations and is very likely to have significant impact. We also expect to see significant secondary impact as many members of our ecosystem of hospitals, clinics, doctors, and third‐party vendors have vulnerable systems exposed to the internet.

Microsoft released patches1 for affected operating systems, including some currently out of support2 such as Windows XP, Server 2003, and Vista. In scenarios where a patch cannot be applied, the vulnerability can be partially mitigated by enabling the NLA (Network Level Authentication) required option in RDP server  configuration.  Microsoft  previously  stated3  they  are  “confident  that  an  exploit  exists  for  this  vulnerability” and has posted blogs3,4 warning customers to patch along with the UK National Cyber Security Centre (NCSC)5,6, US National Security Agency (NSA)7 and US Cybersecurity and Infrastructure Security Agency (CISA)8. Many medical device manufacturers have also released advisories and are listed in the Appendix.

The  only  requirement  for  exploitability  is  the  ability  to  communicate  with  the  RDP  server.  Multiple  individuals and groups at Zerodium, McAfee, Qihoo 360, and RiskSense have developed working Remote Code  Execution  (RCE)  exploits  including  a  Metasploit  module,  but  none have made  them publicly  available. The US CISA confirmed8 they “tested BlueKeep against a Windows 2000 machine and achieved remote code execution.” No active exploitation has been observed in the wild at this time, but there are publicly available exploits that can cause Denial of Service (DoS).

Most vulnerability scanning vendors9,10 should be able to detect the presence of the associated KBs and remotely detect the vulnerability and if Network Level Authentication is required or not. There are also multiple dedicated tools11,12,13 to detect the vulnerability including a Metasploit module14. Many security vendors have partial “signatures” for detecting/preventing exploitation but they only work when not using TLS which some Proof of Concept (PoC) exploits are starting to use. Members should consult with their respective endpoint security & vulnerability scanning vendors for further information. There are multiple Internet search engines and reporting services15,16,17,18 that can help to identity external RDP servers, but be aware that some ISPs block them so they may not be comprehensive.

 

Assessment:

There’s a remotely exploitable, wormable, pre‐authentication vulnerability in a very popular server (recent reporting shows almost 1 million vulnerable RDP servers accessible on the Internet). The healthcare vertical makes heavy use of internet‐facing RDP servers to enable various business and support functions. It is likely that significant vertical‐wide disruptions will occur when the exploit is eventually made public.
Recommended Course of Action (COA):

 Consider requiring Network Level Authentication as an immediate short‐term partial mitigation or disabling RDP on systems that don’t require it.
 Execute emergency patching procedure. Ensure external and internal systems are fully patched.
 Consider any network links with third‐parties and assess potential impact if the third party should be compromised.
 Identify external assets with RDP enabled and remediate immediately.
 Contact supply chain partners to ensure affected devices are patched.

 

References and full update in the PDF below:

 

H-ISAC Vulnerability Bulletin 061719 Update - CVE-2019-0708 Remote Desktop Services Remote Code Execution Vulnerability VB008 TLPWhite
Questions/Feedback:  Please contact contact@h‐isac.org