7-24-19 H‐ISAC TIC Vulnerability Bulletin Update CVE‐2019‐0708

Note: This is a TLP WHITE intelligence update from the H-ISAC Threat Intelligence Committee (TIC).
More detailed TLP AMBER information is available for members on the secure Member Portal.

H-ISAC TIC Vulnerability Bulletin

Date: 7/24/2019 (originally issued 5/14/2019)

TLP – WHITE

Event:  Update: CVE-2019-0708 Remote Desktop Services Remote Code Execution Vulnerability

Update Notes:

1. More manufacturers added to the attached appendix along with a link to their public advisory
2. Added mention of availability of Immunity CANVAS exploit module.

Summary:  On May 14^th, 2019 Microsoft released a security advisory¹ and patches for the CVE-2019-0708 “Remote Desktop Services Remote Code Execution Vulnerability” now commonly known as “BlueKeep.” The vulnerability affects RDP services for Windows 2000, Windows XP, Server 2003, Vista, Server 2008, 7, and Server 2008 R2. It’s likely that it also affects Windows CE and older operating systems. It does NOT affect Windows 8, Server 2012, and newer operating systems. It can be exploited remotely, in default configuration, and without any authentication or user interaction. We assess that this vulnerability is high risk to all H-ISAC member organizations and is very likely to have significant impact. We also expect to see significant secondary impact as many members of our ecosystem of hospitals, clinics, doctors, and third-party vendors have vulnerable systems exposed to the internet.

Microsoft released patches¹ for affected operating systems, including some currently out of support² such as Windows XP, Server 2003, and Vista. In scenarios where a patch cannot be applied, the vulnerability can be partially mitigated by enabling the NLA (Network Level Authentication) required option in RDP server configuration. Microsoft previously stated³ they are “confident that an exploit exists for this vulnerability” and has posted blogs^3,4 warning customers to patch along with the Canadian Centre for Cyber Security (CCCS)⁵, UK National Cyber Security Centre (NCSC)^6,7, US National Security Agency (NSA)⁸ and US Cybersecurity and Infrastructure Security Agency (CISA)⁹. Many medical device manufacturers have also released public advisories and are listed in the Appendix.

The only requirement for exploitability is the ability to communicate with the RDP server. Multiple individuals and groups at Zerodium, McAfee, Qihoo 360, RiskSense, Sophos, and others have privately developed working Remote Code Execution (RCE) exploits, but have not made them publicly available. Immunity has an exploit module in their CANVAS product. No active exploitation has been observed in the wild at this time, but there are publicly available exploits that can cause Denial of Service (DoS).

Most vulnerability scanning vendors^10,11 should be able to detect the presence of the associated KBs and remotely detect the vulnerability and if Network Level Authentication is required or not. There are also multiple dedicated tools^12,13,14 to detect the vulnerability including a Metasploit module¹⁵. Many security vendors have partial “signatures” for detecting/preventing exploitation but they only work when not using TLS which some Proof of Concept (PoC) exploits are starting to use. Members should consult with their respective endpoint security & vulnerability scanning vendors for further information. There are multiple Internet search engines and reporting services^16,17,18,19 that can help to identity external RDP servers, but be aware that some ISPs block them so they may not be comprehensive.

Assessment:  There’s a remotely exploitable, wormable, pre-authentication vulnerability in a very popular server (initial reporting showed almost 1 million vulnerable RDP servers accessible on the Internet). The healthcare vertical makes heavy use of internet-facing RDP servers to enable various business and support functions. It is likely that significant vertical-wide disruptions will occur when the exploit is eventually made public.

Recommended Course of Action (COA):

• Consider requiring Network Level Authentication as an immediate short-term partial mitigation or disabling RDP on systems that don’t require it.
• Execute emergency patching procedure. Ensure external and internal systems are fully patched.
• Consider any network links with third-parties and assess potential impact if the third party should be compromised.
• Identify external assets with RDP enabled and remediate immediately.
• Contact supply chain partners to ensure affected devices are patched.

References and full update in the PDF below:

Download

 

Questions/Feedback:  Please contact contact@h‐isac.org