back to article Two weeks after Microsoft warned of Windows RDP worms, a million internet-facing boxes still vulnerable

The critical Windows Remote Desktop flaw that emerged this month may have set the stage for the worst malware attack in years. The vulnerability, designated CVE-2019-0708 and dubbed BlueKeep, can be exploited by miscreants to execute malicious code and install malware on vulnerable machines without the need for any user …

  1. Filippo Silver badge

    It's worth noting, at least according to the Microsoft blog linked to by the article, that this vulnerability does not apply to Windows 8 and 10. It only applies to versions that are already out of support, or will be in less than a year.

    1. LDS Silver badge

      First, you commit the mistake to think about only desktop versions - many machines with RDP enabled are server ones. This vulnerability does impact 2008 and 2008R2 machines, and even if they're going EOL too, we all know how upgrading servers is usually more complex (and expensive) than desktops.

      For Microsoft, anyway this is a good opportunity to hasten people to upgrade, or migrate to Azure...

      1. Mandoscottie

        throw into the mix the fix for 2k3 and all the way up including XP right past 2k8.

        with them even releasing it for those dinosaurs it shows how prevalent it is and its being actively used in the wild.

        Get inside the perimeter and suddenly those old boxen with smb 1 enabled ssl1 n 2, tls 1.0... plus that and <insert a plethora of escalation priv bugs atm> or steganography into exchange get system and then use this across the prod ring as system.

        gateway to a potential 5h1tstorm, its a 512kb exe patch and 1 restart get it done already, why have a look at Baltimore (still), my dinos were patched within 24hours of the release of said patch, despite them being carbon black in lockdown mode.

        Yep its a finger in a small gaping wound, when they have more sec holes than a swiss cheese all over. Id kill them if i could but we cant quite yet, Azures what im reccomending, get them the f off my local estate of 2k12 n 16s

        1. Hans 1
          WTF?

          1 restart ? why, is RDP not userspace ? How you guyz accept this is beyond me.

    2. Claptrap314 Silver badge

      So having garbage security is now a revenue stream? Great.....

      1. Anonymous Coward
        Anonymous Coward

        “So having garbage security is now a revenue stream? Great.....”

        Relying on out-of-the-box features in a 10+ year old OS leads to requirement to upgrade or use alternative product shocker.

        At places I’ve worked, RDP open to the Internet never made it past a security review anyway. It either went through a load balancer as HTTPS to Citrix /VDI or required site-to-site/client VPN. YMMV.

        1. Anonymous Coward
          Anonymous Coward

          This May Citrix Receiver RCE...

          https://support.citrix.com/article/CTX251986

          And I don't want to know when my company last updated its VPN gateway...

    3. sanmigueelbeer Silver badge

      It only applies to versions that are already out of support, or will be in less than a year.

      And there are still a lot of machines out there that cannot be upgraded for several reasons:

      1. A critical software will only work with that version;

      2. Manufacturer "could care less" to upgrade the firmware to a model that is deemed "end of support" (translation: Pay up to upgrade to a more expensive model).

      At the end of the day, a lot of owners don't have the funds to get this issue fixed until they get hacked.

      1. Anonymous Coward
  2. LDS Silver badge

    It's not only the internet facing ones...

    Once you're inside a network - using this vuln or another - you can probably find a lot more machines with this vulnerability unpatched - and many of them will be servers, domain joined....

    1. Roland6 Silver badge

      Re: It's not only the internet facing ones...

      "Specifically, Graham said he was able to, ... find some 932,671 public-facing computers still vulnerable to CVE-2019-0708. To do this, he scanned the public internet for machines that had the Windows Remote Desktop network port (3389) open"

      Given a common practice is to use a non-standard port for Internet RDS access, I expect significantly more public facing computers are still vulnerable. One hopes that they have firewalls with port scanning detection and blocking enabled.

      I suspect any site/IP address that Shodan reports the presence of an MS service eg. Exchange, IIS (but not RDS) will odds on also have an MS RDS Server on a non-standard port.

      1. defiler

        Re: It's not only the internet facing ones...

        A thumb-up for pointing out that many RDP services are on non-standard ports, but I can assure you that I bawl the shit out of people for putting RDP straight on the internet on *any* machine, even if it runs Exchange / IIS.

        At the *very* least, put a Remote Desktop Gateway in there. Minimum.

      2. Anonymous Coward
        Anonymous Coward

        Re: It's not only the internet facing ones...

        “Given a common practice is to use a non-standard port for Internet RDS access“

        Fingerprinting services via slow scans means that the baddies know where your publicly accessible services are hiding, even if you use non-standard ports. The exception being if you use port knocking.

        They may not appear in these figures, but I guess people people will find out soon enough if they avoided this.

  3. Buzzword

    Basic security

    Why on earth are there over a million public-facing open RDP ports in the first place?

    1. Anonymous South African Coward Silver badge

      Re: Basic security

      Why on earth are there over a million public-facing open RDP ports in the first place?

      Because of various reasons.

      1. PHB decreed that it is too much of a schlepp to VPN first

      2. Techie got booted and a beancounter is running the IT show

      3. n00b IT techie thinking that a strong P455w0rd will keep them ne'er-do-wells out for good. Muhuhaha

      4. Some pissed-off IT guy somewhere did this on purpose to nuke the company's network

      5. Router does not support PPTP VPN or PPTP VPN passthrough, so they're using RDP passthrough.

      6. Some researcher did this on purpose to see if their product can migitate a bad event.

      PROTIP : The brilliant idea of changing the RDP port from default 3389 to something else DOES NOT HELP. A portscan will sniff it out and your ass will see a six-pack whoopass.

      1. This post has been deleted by its author

        1. Cowboy Bob

          Re: Basic security

          Yep, heard that many times. My favourite was when I needed to setup an outbound FTP connection from a server to pick up some files only to find out that the FTP port was blocked. The net-admin told me the FTP port was blocked by the firewall egress rules so people couldn't steal data if they got on the machine.

          Ignoring the general stupidity of that statement, port 80 was open for HTTP, so I asked him what would happen if I started up an FTP server listening on port 80 instead. His smile gradually faded as his brain processed what I just told him

          1. hmv

            Re: Basic security

            Blocking file transfers from servers isn't an especially dumb idea; I do it except for a list of exceptions. If you can't stop a server from being compromised, stopping the second stage download is quite handy (been there, got the T-shirts).

            Just running on port 80 might not be sufficient; a firewall will need to intercept the control data to open transient ports for the data channel(s) and it probably won't do it by default on tcp/80.

            And you're assuming a last generation firewall that won't look at the traffic and decide that ftp isn't allowed on non-default ports.

          2. Smartypantz

            Re: Basic security

            Please tell what do you think is the "ftp port"

      2. LDS Silver badge

        "does not support PPTP VPN or PPTP VPN passthrough"

        If you still use PPTP you have already many security issues...

        1. Hans 1
          Thumb Up

          Re: "does not support PPTP VPN or PPTP VPN passthrough"

          If you still use PPTP your opinion does not count.

          #TFTFY

      3. Roland6 Silver badge

        Re: Basic security

        PROTIP : The brilliant idea of changing the RDP port from default 3389 to something else DOES NOT HELP. A portscan will sniff it out and your ass will see a six-pack whoopass.

        Never heard of firewalls with port scan detection and blocking...

        The main advantage of using a non-standard port is to separate the grain from the chaff, also Shodan only seems to report the presence of RDP services if they are on the default port...

        1. Smartypantz

          Re: Basic security

          Exactly right!

          If original posters tip actually was a "PROTIP" (i hope not) its no surprise that the security of our profession is in such a poor state :-)

        2. Anonymous Coward
          Anonymous Coward

          Re: Basic security

          Slow scanning effectively defeats firewall port scan - if you are scanned below the threshold scan rate for the next few months and combine the results from multiple scanners, it only really defeats the people that are in a rush, pen testers or script kiddies.

          Once they find something is open, they can investigate further to try and work out the exact service and OS, maybe even the firewall and any other interesting services on related IP's/ports. Then wait for a vulnerability.

          Sure it takes time, but if you're scanning enough targets, your victim pool is significant.

      4. Anonymous South African Coward Silver badge

        Re: Basic security

        Just something to add to my list - most AWS VM instances make use of RDP. I have to assume that others (Azure etc) also have the same drawback, and that you'll have to set up RDP on your VM in order to access it remotely.

        Gonna be achy breaky heart time soon...

      5. Smartypantz

        Re: Basic security

        Regarding your "PROTIP":

        Off course it helps to run it on a non-standard port. Most exploit code is dumbass script kiddies copying and pasting the same, lame code that, as a matter of economy, does not run a full portscan + protocol detection before letting the load!

      6. Anonymous Coward
        Anonymous Coward

        Re: Basic security

        7, partly related to 3...

        An experienced IT techie, knowing nicely that it isn't the ideal way of doing things, but limited by budget or customers willingness to just go elsewhere if a simple task can't be achieved in 15 minutes. This is common in small business (who remember make up the majority of the country).

        Sure, could stand there and argue.. No, you need a VPN.. No, you need some 2FA.. No, you need a static at home to restrict traffic in-over.. I've said the latter to at least two sites over the last year "to keep things secure" and they still haven't bothered paying BT the extra fiver a month.

        These are the same sites where a "CCTV Professional" comes in and gets a Duhua rig going (famous for having cams that turn into botnets), plugs it straight into the LAN and MD gets his feed at home and on his phone. How does the IT person follow that with "you can't do that", we need X.. MD says "It works!" and that's the end of that.

        Not best practice - we know - but you can only do so much, and we've got mortgages to pay and families to feed too. You can't lose a customer, just mitigate where you can. Those in solid jobs with a team to deligate too, and a huge budget will pour scorn, but that's how it is.

    2. Rich 11 Silver badge

      Re: Basic security

      To allow remote support, I'd guess. Some will be properly protected but many won't.

    3. LDS Silver badge

      Re: Basic security

      Because sometimes there are no other choices. There could be a lot of virtual servers on "cloud" systems that may not offer VPN access, especially the cheaper services.

      Evidently such systems needs to be patched immediately when vulnerabilities like this arise - you know you take a risk and have to manage it, in this case the risk of being remotely p0wned easily should offset any other risk a patch could introduce.

  4. Anonymous Coward
    Anonymous Coward

    Hold on a minute

    Weren't we given the usual BS, er I mean FUD, er, I mean security advice, that this would be exploited within hours?

    https://nakedsecurity.sophos.com/2019/05/15/update-now-critical-remote-wormable-windows-vulnerability/

    1. Afernie

      Re: Hold on a minute

      How do you know it hasn't been?

  5. hmv

    Colour me surprised

    So what you're saying is that not everybody dropped everything and patched their vulnerable servers? Well colour me surprised.

  6. Anonymous Coward
    Anonymous Coward

    Well, duh..

    .. if 30+ years of persistent security problems from MS-DOS 3.30 upwards have not given you a hint that security is exactly not a Microsoft strength, then nothing will.

    The arguments why don't matter much, the facts do. If your business depends on Windows, consider every terminal a risk and spend accordingly on security. If you don't, you'll become another statistic.

    It's exactly all this work and elevated risk that is carefully kept out of any TCO calculation. If the calculations were indeed done for the Total cost of ownership (i.e. including labour, risk management, lost time, peripheral efforts required to shore up security, resources taken by the incessant patching etc etc etc) the picture would not look so rosy for Microsoft.

    Thankfully there is at least the golf course to bypass all that.

    1. Anonymous Coward
      Anonymous Coward

      If you believe non Windows systems are inherently secure...

      ... you are probably already p'0wned wholly and thoroughly.

      Just look at how many insecure devices around running some flavour of embedded Linux. Sure, the reason is they usually run older, unpatched libraries - which just shows there were vulns there as well - and there will be others, don't worry - or better, be worried and never believe you're secure just because you don't use Windows... I'm quite sure the Equifax server wasn't a Windows one...

      1. Anonymous Coward
        Anonymous Coward

        Re: If you believe non Windows systems are inherently secure...

        If you believe non Windows systems are inherently secure...

        ... you are probably already p'0wned wholly and thoroughly.

        No, but as we were running Windows, MacOS, Linux and a bit of FreeBSD it is not exactly hard to figure out which services and end user stations require the least effort to stay secure. It sure as hell ain't Windows.

        All platforms require attention to stay secure, but the amount of work that Windows gave us for no real return simply made no business sense, so we chucked it. Thankfully we could, but I appreciate not everyone is in that position.

        1. Glen 1

          Re: If you believe non Windows systems are inherently secure...

          "least effort to stay secure"

          What's the mac equivalent of gpo or WSUS? (Not a dig - Genuinely interested)

  7. Dave Bell

    So why Windows?

    So why do people use Windows so much?

    Part of it seems to be the difficulty of finding non-Windows apps which do the same job.

    1. Anonymous Coward
      Anonymous Coward

      Re: So why Windows?

      Either via sales to people with no competence in the matter they get to decide upon, or sunk investment on a scale that makes it difficult to shift platform.

      The former is IMHO root cause for inviting the MS infection, the latter is root cause for sticking with it, with two exceptions.

      No other platform has even come close to an answer to Outlook and Excel.

      LibreOffice is getting better, but people involved in heavier lifting of numbers in spreadsheets are more efficient on Excel and it has more power too. Fair is fair.

      As for Outlook, its ability to combine contacts, calendaring and email into something that now also integrates a few light CRM features has not been replicated in desktop software on any other platform. The only feasible alternatives have been web based which sucks if you're travelling or on a bad conection, but Outlook is probably the firmest lock-in product that Microsoft has, despite it not talking open standards such as caldav and carddav (which, unsurprisingly, prevents people from using something bettr than Exchange).

      That said, you can get both on MacOS too.

      1. DJ Smiley

        Re: So why Windows?

        "The only feasible alternatives have been web based which sucks if you're travelling or on a bad conection, but Outlook is probably the firmest lock-in product that Microsoft has,"

        Everything you've said is right, but they seem to be moving away from this with office 365, and I wonder if it'll be part of the downfall

        1. John 104

          Re: So why Windows?

          Maybe not with 365. Most people don't realize that you get thick client versions of all the 365 software (depending on your licensing model) with each subscription. Don't like the web client? Download the thick client and run it locally.

          1. Anonymous Coward
            Anonymous Coward

            Re: So why Windows?

            When you say "thick clients", were you referring to software or users?

            Just curious :).

  8. FXi

    unless you are using Sophos

    If you are using Sophos they recommend you don't patch. Of course, instead you should get someone other than Sophos and then get back to patching.

  9. Anonymous Coward
    Anonymous Coward

    They way I understand ...

    "A hacker found another longterm-hidden-backdoor"

  10. MrBoring

    I'm guessing most of these 900.000 machines are already compromised using brute force attacks which are easy on RDP. Maybe hacker Igor needs to secure his box because soon it will be taken over by hacker xiyong.

    1. Hans 1
      Windows

      Igor patches the 0wned server, local Window Cleaner and Surface Expert comes along,: "Oh, patch already installed, I am safe! Now, where have was that fileserver again? "

  11. Anonymous Coward
    Anonymous Coward

    When everyone on Windows has moved to Azure it will be much better, I bet there will be far less security fixes each month.

    Microsoft wont have to have these ancient hidden back-doors in their OS for govs anymore, they can just let them login directly to the portal and sniff about your VMs.

    1. Anonymous Coward
      Anonymous Coward

      When everyone on Windows has moved to Azure it will be much better, I bet there will be far less security fixes each month.

      Yeah, just a vast ramp up in breaches. That's the IT equivalent of digging one hole to fill another.

    2. Anonymous Coward
      Coat

      Also...

      With MS reliability... you cannot hack a computer that don't boot [because the cloud has fallen over]. ;)

  12. steviebuk Silver badge

    Why do they make it complicated

    I know I'm a bit of an idiot but why do they have to make the patching complicated. Can they please just give me a straight answer to a KB I need to search WSUS for the update.

    Clicking the links takes me to various areas with no clear indication of which KB has the patch in it.

    1. John 104

      Re: Why do they make it complicated

      What you are asking for is how they used to do it.

      It made identifying patches to apply or not apply very granular. Great for admins who care. But, this method required a lot of extra work on the MS side, so now they bundle them all up into one bucket and make you take the lot unless you are using WSUS or SCCM.

      It is very frustrating to try and find details on a single patch though. Very obfuscated for some reason.

    2. Angus Ireland
      Holmes

      straight answer to a KB

      It's right there in the link in the Reg's article: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

      > Out-of-support systems include Windows 2003 and Windows XP. If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. Even so, we are making fixes available for these out-of-support versions of Windows in KB4500705.

  13. Claptrap314 Silver badge

    An interesting discussion

    Suppose you are in the NSA. Specifically, the part charged with defense. You know this vulnerability (and quite a few others). You know that this bug disproportionately harms the assets of US- and friendly-based entities.

    Do you argue to create a worm to shut down this hole?

    What if you are working for a Chinese or North Korean agency? What actions would you advocate on behalf of their mission?

    Does the answer to the second question affect the answer to the first?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021