Skip to content

Instantly share code, notes, and snippets.

@krejac

krejac/mitigating-cve-2019-0708.md

Created June 27, 2019 14:47
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save krejac/626cd940aece8238dcec3deb412c810e to your computer and use it in GitHub Desktop.
Save krejac/626cd940aece8238dcec3deb412c810e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
mitigating-cve-2019-0708.md

When Microsoft chooses to release security updates for OS's that are way out of support security specialists grabs a cup of coffee and starts reading. BlueKeep (also known as CVE-2019-0708) is a flaw in Microsofts Remote Desktop Services that allows an attacker to gain full control over an affected system.

The vulnerability occurs during pre-authorization, and has the potential to run arbitrary malicious code in the "NT Authority\SYSTEM" user security context. Which means that you don't need to know any credentials to exploit the flaw and that you get to execute code as a privileged user.

Oh, and Microsoft says that it's potentially wormable like WannaCry, meaning that someone could write code that makes this self-replicating, making it possible to spread throughout a (inter-)network without intervention.

The vulnerable systems are Windows Server 2003, Windows XP, Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2. All systems can be fully compromised if exposed to an attacker. So what do we as security professionals do?

Patch all the things

  • Make sure the Windows teams check patch status in WSUS.
  • Patch remaining systems (manually if needed).
  • Disable Remote Desktop Protocol.
  • If patching isn't an option apply Network Level Authentication (NLA) on supported systems.
  • If none of the above works, cut of the system from the rest of the network (and the internet).

Verify all the things

  • Get full external ip-ranges from networking.
  • Get divided internal ip-ranges (preferably divided into sections such as production, staging, development and testing).

Externally

  • If possible make arrangement to do an external scan by a trusted 3rd party.
  • Use Shodan.io: e.g. ip:"192.38.0.0/16" port:"3389".
  • Double check your shodan result with BinaryEdge: e.g. ip:"192.38.0.0/16" port:"3389".

Internally

Nmap or Masscan

Someone (perhaps you) should be proficient in setting up a scan with nmap or masscan to discover internally vulnerable systems. Repeat the scan regularly.

Nessus

If you have access to a Nessus-instance do a broad scan of your internal network. I have verified that the following plugins do indeed detect unpatched systems:

The hardest part - especially in large diverse environments - is to make sure everything is handled. One compromised machine could lead to a deep infection across the it-infrastructure using other exploits. If hackers gets a foot inside th door they rarely stay in the lobby.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment