After the carnage and financial damage caused by WannaCry in 2017, here we go again, and the threat's name is BlueKeep. Krebs on Security documented BlueKeep here. On May 14th, Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, identified and reported to Microsoft by the UK’s National Cyber Security Centre.

This vulnerability is wormable, meaning it’s a pre-authentication and requires no user interaction and can jump from vulnerable machine to vulnerable machine. It is inherent in the RDP (terminal services) protocol and only affects Windows XP, 7, 2003, 2008 and 2008 r2. Modern operating systems are unaffected.

This vulnerability was seen as so severe, Microsoft took the uncommon step of releasing patches for unsupported operating systems.

Unlike WannaCry, this threat is seen as extremely easy to exploit. It took a leaked NSA tool to exploit the WannaCry vulnerability, whereas the fear with this one is that it will be much easier to take advantage of.

With a patch now available you can bet there are cyber adversaries out there reverse engineering the patch while I write this blog, getting ready to exploit organizations and individuals alike.

Globally there are around 35% of Windows workstations running on affected Operating Systems.

desktop windows market share worldwide - april 2019

It’s much harder to ascertain from a server OS standpoint what the exposure size is, as most servers are not internet-facing to get these stats. If the customers I speak to on a daily basis are anything to go by, there are still many pockets of these 2003 and 2008/r2 servers around.

Many of these older servers are Citrix server-based computing environments which will all be running RDS. I was listening to my favorite cyber security podcast last week (Darknet Diaries), and the host was talking to a penetration tester who did internal pen tests. He said when he is in an environment and he finds Citrix, that becomes his primary target. It’s a hub of applications, tools and privileges. If you have one of these legacy environments, make sure it’s patched!

A Rapid7 blog showed how internet scanning engine Binary Edge identified 16 million endpoints publicly available on port 3389 and 3388 typically reserved for RDP. With 67,338 endpoints internet facing for RDP as of July 2017. It’s not clear what OS these exposed servers were running.

So what’s the answer? You better get patching, ASAP!

With the latest versions of MS SCCM not supporting Windows XP and Server 2003, the job is going to be more difficult. Does this mean manual patching? Not necessarily.

Ivanti Security Controls provides our customers the ability to patch both XP and Server 2003, in an automated approach with complete visibility to status. Know if you are exposed rather than waiting on manual analysis and reports you don’t trust 100%.

Protect yourself from the next wannacry