{"id":15845,"date":"2019-07-19T11:44:57","date_gmt":"2019-07-19T19:44:57","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9590\/"},"modified":"2019-07-19T11:44:57","modified_gmt":"2019-07-19T19:44:57","slug":"news-9590","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9590\/","title":{"rendered":"\u201cBlueKeep\u201d Vulnerability (CVE-2019-0708) within Cloud\/Datacenter Machines: How to Safeguard Yourself?"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>A few weeks back, FortiGuard Labs heard of the BlueKeep RDP Wormable Vulnerability [CVE-2019-0708]. According to Microsoft, this vulnerability affects the Remote Desktop Protocol (RDP) service included in older versions of Windows OS, such as Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008R2.<\/p>\n<p>Recently, there was an article by Robert Graham of Errata Security saying that <a href=\"https:\/\/blog.erratasec.com\/2019\/05\/almost-one-million-vulnerable-to.html#.XPf7WBZKiUl\">nearly 1 million machines<\/a> are still vulnerable to this critical vulnerability. <a href=\"https:\/\/blogs.technet.microsoft.com\/msrc\/2019\/05\/30\/a-reminder-to-update-your-systems-to-prevent-a-worm\">Microsoft<\/a> and even the <a href=\"https:\/\/www.nsa.gov\/News-Features\/News-Stories\/Article-View\/Article\/1865726\/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of\/\">NSA<\/a> have recently issued advisories asking users to patch their systems to avoid another attack on the lines of the WannaCry incident.<\/p>\n<p>Two weeks ago, we conducted our own research on Microsoft Azure datacenter IP ranges and found several instances of unpatched machines still vulnerable to the critical \u201cBlueKeep\u201d RDP vulnerability. We immediately reached out to Microsoft to notify them about our findings and below is their response.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/bluekeep-vulnerability-cloud-datacenters\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>Figure 1: Response From Microsoft Security Response Center<\/i><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The list of Microsoft Azure datacenter IP Ranges is publicly available at the following Microsoft provided link:\u00a0 <\/p>\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=41653\">https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=41653<\/a><\/li>\n<\/ul>\n<p>The following figure displays some of the IP ranges mentioned in the above link:\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/bluekeep-vulnerability-cloud-datacenters\/_jcr_content\/root\/responsivegrid\/image_1670002232.img.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>Figure 2: Sample Set of Microsoft Azure DataCenter IP Ranges<\/i><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The tool we used to test this vulnerability is available at the following link:\u00a0<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/zerosum0x0\/CVE-2019-0708\">https:\/\/github.com\/zerosum0x0\/CVE-2019-0708<\/a><\/li>\n<\/ul>\n<p>In the figure below we can see the output for some sample IPs tested using this tool:\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/bluekeep-vulnerability-cloud-datacenters\/_jcr_content\/root\/responsivegrid\/image_1709515121.img.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>Figure 3: Output of Sample IPs tested for CVE-2019-0708<\/i><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h4><b>What Should You Do?<\/b><\/h4>\n<p>Since Microsoft has already released their <a href=\"https:\/\/blogs.technet.microsoft.com\/msrc\/2019\/05\/14\/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708\/\">advisory<\/a> for this vulnerability, and because there are several Azure datacenter IPs vulnerable to it, the question arises as to who is responsible for patching these systems?<\/p>\n<p>Microsoft has stated that they are not responsible for updating the DataCenter IPs currently in use by Azure Service Customers, and since several of those IPs and organizations are currently vulnerable to the critical BlueKeep vulnerability, vulnerable organizations can try the following solutions.<\/p>\n<h4><b>Current Solution:<\/b><\/h4>\n<p>All users with vulnerable versions of Windows OS\u2019s are encouraged to patch their systems immediately. Additionally, individual organizations could safeguard themselves using the Fortinet IPS solution, which would act as a virtual patch against not only this vulnerability, but also several others.<\/p>\n<p>Organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the following signature:<\/p>\n<p><b>MS.Windows.RDP.Channel.MS_T120.Remote.Code.Execution<\/b><\/p>\n<p><b>Note:<\/b> Also, it is important to understand that this article not only applies to Microsoft Azure customers\u2014other cloud providers and their customers may also be equally impacted.\u00a0\u00a0<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/oci62q7SVvg\/bluekeep-vulnerability-cloud-datacenters.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/bluekeep-vulnerability-cloud-datacenters\/_jcr_content\/root\/responsivegrid\/image.img.png\"\/><br \/>Recently, FortiGuard Labs conducted its own research on Microsoft Azure datacenter IP ranges and found several instances of unpatched machines still vulnerable to the critical \u201cBlueKeep\u201d RDP vulnerability. Learn more about how to protect against this vulnerability.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/oci62q7SVvg&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-15845","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15845","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15845"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15845\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15845"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15845"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15845"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}