One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 1128860 |
| Date de publication | 2019-05-28 06:20:06 (vue: 2019-05-28 13:00:43) |
| Titre | Almost One Million Vulnerable to BlueKeep Vuln (CVE-2019-0708) |
| Texte | Microsoft announced a vulnerability in it's "Remote Desktop" product that can lead to robust, wormable exploits. I scanned the Internet to assess the danger. I find nearly 1-million devices on the public Internet that are vulnerable to the bug. That means when the worm hits, it'll likely compromise those million devices. This will likely lead to an event as damaging as WannaCry and notPetya from 2017 -- potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness.To scan the Internet, I started with masscan, my Internet-scale port scanner, looking for port 3389, the one used by Remote Desktop. This takes a couple hours, and lists all the devices running Remote Desktop -- in theory.This returned 7,629,102 results (over 7-million). However, there is a lot of junk out there that'll respond on this port. Only about half are actually Remote Desktop.Masscan only finds the open ports, but is not complex enough to check for the vulnerability. Remote Desktop is a complicated protocol. A project was posted that could connect to an address and test it, to see if it was patched or vulnerable. I took that project and optimized it a bit, rdpscan, then used it to scan the results from masscan. It's a thousand times slower, but it's only scanning the results from masscan instead of the entire Internet.The table of results is as follows:1447579 UNKNOWN - receive timeout1414793 SAFE - Target appears patched1294719 UNKNOWN - connection reset by peer1235448 SAFE - CredSSP/NLA required 923671 VULNERABLE -- got appid 651545 UNKNOWN - FIN received 438480 UNKNOWN - connect timeout 105721 UNKNOWN - connect failed 9 82836 SAFE - not RDP but HTTP 24833 UNKNOWN - connection reset on connect 3098 UNKNOWN - network error 2576 UNKNOWN - connection terminatedThe various UNKNOWN things fail for various reasons. A lot of them are because the protocol isn't actually Remote Desktop and respond weirdly when we try to talk Remote Desktop. A lot of others are Windows machines, sometimes vulnerable and sometimes not, but for some reason return errors sometimes.The important results are those marked VULNERABLE. There are 923,671 vulnerable machines in this result. That means we've confirmed the vulnerability really does exist, though it's possible a small number of these are "honeypots" deliberately pretending to be vulnerable in order to monitor hacker activity on the Internet.The next result are those marked SAFE due to probably being "pached". Actually, it doesn't necessarily mean they are patched Windows boxes. They could instead be non-Windows systems that appear the same as patched Windows boxes. But either way, they are safe from this vulnerability. There are 1,414,793 of them.The next result to look at are those marked SAFE due to CredSSP/NLA failures, of which there are 1,235,448. This doesn't mean they are patched, but only that we can't exploit them. They require "network level authentication" first before we can talk Remote Desktop to them. That means we can't test whether they are patched or vulnerable -- but neither can the hackers. They may still be exploitable via an insider threat who knows a valid username/password, but they aren't exploitable by anonymous hackers or worms.The next category is marked as SAFE because they aren't Remote Desktop at all, but HTTP servers. In other words, in response to o |
| Envoyé | Oui |
| Condensat | more 000 0708 102 17560 19991 2017 2019 235 24833 28182 3389 414 448 629 671 695 793 82836 836 9 923 950 able about above activity actual actually address admin all allows almost announced anonymous another appear appears appid appid 651545 apply are aren around assess authentication because before being bit bluekeep boxes breaks bug but can care case category cause check cleaning command compile complex complicated compromise confirm confirmed connect connect connection continued controller copy could couple credentials credssp/nla cve damaging danger deliberately desktop desktops devices did distorted does doesn domain don due either enough entire error errors event exist exploit exploitable exploiting exploits fail failed failures figure fin find finds first fix following follows:1447579 from get gets getting github going good got grab guard hacker hackers half happened have havoc hits honed honeypots hours however http http httpa httpsome important importantly including infect infected insider instead internet isn isps itself junk knows large lead level likely line lists log logged look looking lot machine machines marked masscan masscan/rdpscan combination may mean means mentioned microsoft million monitor month more moving nastiness nearly necessarily neither network networking networks next non normal not notpetya notpetya: number old one only onto open optimized order organization organizations other others out over overcoming pached patched patched patched1294719 patches patching peer1235448 port ports possible posted potentially precompiled pretending preventing previous probably problem product programs project protocol psexec problem psexec that public ransomware rather rdp rdpscan rdpscan has rdpscan tool really reason reasons receive received 438480 reliably remote request require required required 923671 rescan rescans reset respond response rest result results results: return returned 7 robust roughly running safe same scale scan scanned scanner scanning see send sends servers should since skills slower small some sometimes source spread started such systems table takes talk target terminatedthe test tests than that them then theory these things third those though thousand threat thus time timeout 105721 timeout1414793 times took transient trust try tryin two unknown unknowns update: upshot used user username/password uses using valid various virus vista vuln vulnerability vulnerable wannacry want wasn way weirdly what when whether which who will windows winxp words work worm wormable worms worse you yourself |
| Tags | Ransomware Vulnerability Threat Patching Guideline |
| Stories | NotPetya Wannacry |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.