- The flaw is described as a wormable unauthenticated remote code execution flaw in Remote Desktop Protocol (RDP) services.
- The flaw has the potential to cause destructions similar to the 2017’s WannaCry, NotPetya, and Bad Rabbit ransomware attacks.
New research has revealed that nearly one million Windows PCs are vulnerable to the recently patched BlueKeep vulnerability. Earlier, it was believed that there were nearly 7.6 million Windows systems impacted by the flaw.
What is BlueKeep flaw?
The BlueKeep vulnerability tracked as CVE-2019-0708, came to the light after Microsoft released security fixes and mitigation advice in its May 2019 Patch Tuesday.
The flaw is described as a wormable unauthenticated remote code execution flaw in Remote Desktop Protocol (RDP) services. The flaw has the potential to cause destructions similar to the 2017’s WannaCry, NotPetya, and Bad Rabbit ransomware attacks.
What does the latest report say?
A recent scanning effort by Robert Graham, head of offensive security research firm Errata Security, has revealed that there are still 950,000 Windows PCs that are vulnerable to BlueKeep attacks.
Previously, the number of vulnerable Windows system stood at nearly 7.6 million. However, Graham rejected the earlier claim and said it is closer to 950,000. Graham used a tool named rdpscan to detect vulnerable systems.
During the investigation, Graham discovered that most of the seven million systems that had port 3389 exposed to the internet, are not actually Windows systems or are not running an RDP service.
How deadly is the flaw?
Soon after the disclosure of the flaw, threat actors have started scanning the internet for Windows with BlueKeep vulnerability. Successful exploitation of the flaw can allow an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests. The attackers can also leverage the flaw to execute arbitrary code, install a malicious program, modify data and create new accounts on a victim’s system.
What should organizations do?
Microsoft has released patches to address flaws in the affected versions. In addition, it has also provided some workarounds to fix the issue. This includes:
- Disabling RDP services when not required;
- Blocking port 3389 at the enterprise perimeter firewall;
- Deploying IDS/IPS rules to detect the exploit;
- Enabling Network Level Authentication.