Remote Desktop Vulnerabilities: Identifying the Exposure and Patch Using Osquery

[Updated June 5th] Patching for the CVE (CVE-2019-0708) vulnerability (referred to as BlueKeep) appears to have been slow, according to Rob Graham among others. One security expert, Ryan McGeehan (@Magoo), with experience in modeling vulnerability exploit probability and has done just that with the BlueKeep security flaw. 

His concerning summary concludes:

“Chances are about even (47.62%) for “in the wild” BlueKeep exploitation to be observed between now and end of June.”

Follow the outline below to check your exposure using osquery.

Microsoft released an important patch to the remotely exploitable Remote Desktop Services (RDS) vulnerability. This vulnerability does not require any authentication and allows an attacker to run code remotely. Expect public exploits to start appearing soon.

Similar to bugs used by exploits like EternalBlue, it has the potential of becoming wormable.

While not necessarily easy to exploit, it is still serious enough that Microsoft released patches for all affected versions of Windows going as far back as XP, which normally does not get security updates. Windows 2012 and newer are not affected.

What should be done:

  1. Halt Any Exposure of RDS to the internet. RDS is often exposed to the Internet to provide remote access to workers or support staff. It is rarely patched frequently enough, configured to use proper transport encryption, and accessed with two-factor authentication. It is almost always a risky proposition to have RDS on the Internet.
  2. Deploy patches as soon as possible, and verify that it was (Read more...)

*** This is a Security Bloggers Network syndicated blog from Uptycs Blog authored by Guillaume Ross. Read the original post at: