Note: This is a TLP WHITE intelligence update from the H-ISAC Threat Intelligence Committee (TIC).
More detailed TLP AMBER information is available for members on the secure Member Portal.
H-ISAC TIC Vulnerability Bulletin
Date: 7/24/2019 (originally issued 5/14/2019)
TLP – WHITE
Event: Update: CVE-2019-0708 Remote Desktop Services Remote Code Execution Vulnerability
- More manufacturers added to the attached appendix along with a link to their public advisory
- Added mention of availability of Immunity CANVAS exploit module.
Summary: On May 14th, 2019 Microsoft released a security advisory1 and patches for the CVE-2019-0708 “Remote Desktop Services Remote Code Execution Vulnerability” now commonly known as “BlueKeep.” The vulnerability affects RDP services for Windows 2000, Windows XP, Server 2003, Vista, Server 2008, 7, and Server 2008 R2. It’s likely that it also affects Windows CE and older operating systems. It does NOT affect Windows 8, Server 2012, and newer operating systems. It can be exploited remotely, in default configuration, and without any authentication or user interaction. We assess that this vulnerability is high risk to all H-ISAC member organizations and is very likely to have significant impact. We also expect to see significant secondary impact as many members of our ecosystem of hospitals, clinics, doctors, and third-party vendors have vulnerable systems exposed to the internet.
Microsoft released patches1 for affected operating systems, including some currently out of support2 such as Windows XP, Server 2003, and Vista. In scenarios where a patch cannot be applied, the vulnerability can be partially mitigated by enabling the NLA (Network Level Authentication) required option in RDP server configuration. Microsoft previously stated3 they are “confident that an exploit exists for this vulnerability” and has posted blogs3,4 warning customers to patch along with the Canadian Centre for Cyber Security (CCCS)5, UK National Cyber Security Centre (NCSC)6,7, US National Security Agency (NSA)8 and US Cybersecurity and Infrastructure Security Agency (CISA)9. Many medical device manufacturers have also released public advisories and are listed in the Appendix.
The only requirement for exploitability is the ability to communicate with the RDP server. Multiple individuals and groups at Zerodium, McAfee, Qihoo 360, RiskSense, Sophos, and others have privately developed working Remote Code Execution (RCE) exploits, but have not made them publicly available. Immunity has an exploit module in their CANVAS product. No active exploitation has been observed in the wild at this time, but there are publicly available exploits that can cause Denial of Service (DoS).
Most vulnerability scanning vendors10,11 should be able to detect the presence of the associated KBs and remotely detect the vulnerability and if Network Level Authentication is required or not. There are also multiple dedicated tools12,13,14 to detect the vulnerability including a Metasploit module15. Many security vendors have partial “signatures” for detecting/preventing exploitation but they only work when not using TLS which some Proof of Concept (PoC) exploits are starting to use. Members should consult with their respective endpoint security & vulnerability scanning vendors for further information. There are multiple Internet search engines and reporting services16,17,18,19 that can help to identity external RDP servers, but be aware that some ISPs block them so they may not be comprehensive.
Assessment: There’s a remotely exploitable, wormable, pre-authentication vulnerability in a very popular server (initial reporting showed almost 1 million vulnerable RDP servers accessible on the Internet). The healthcare vertical makes heavy use of internet-facing RDP servers to enable various business and support functions. It is likely that significant vertical-wide disruptions will occur when the exploit is eventually made public.
Recommended Course of Action (COA):
- Consider requiring Network Level Authentication as an immediate short-term partial mitigation or disabling RDP on systems that don’t require it.
- Execute emergency patching procedure. Ensure external and internal systems are fully patched.
- Consider any network links with third-parties and assess potential impact if the third party should be compromised.
- Identify external assets with RDP enabled and remediate immediately.
- Contact supply chain partners to ensure affected devices are patched.
References and full update in the PDF below:H-ISAC Vulnerability Bulletin 072419 Update - CVE-2019-0708 Remote Desktop Services Remote Code Execution Vulnerability VB008 TLPWhite