Threat Research

“BlueKeep” Vulnerability (CVE-2019-0708) within Cloud/Datacenter Machines: How to Safeguard Yourself?

By Kushal Arvind Shah | June 12, 2019

A few weeks back, FortiGuard Labs heard of the BlueKeep RDP Wormable Vulnerability [CVE-2019-0708]. According to Microsoft, this vulnerability affects the Remote Desktop Protocol (RDP) service included in older versions of Windows OS, such as Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008R2.

Recently, there was an article by Robert Graham of Errata Security saying that nearly 1 million machines are still vulnerable to this critical vulnerability. Microsoft and even the NSA have recently issued advisories asking users to patch their systems to avoid another attack on the lines of the WannaCry incident.

Two weeks ago, we conducted our own research on Microsoft Azure datacenter IP ranges and found several instances of unpatched machines still vulnerable to the critical “BlueKeep” RDP vulnerability. We immediately reached out to Microsoft to notify them about our findings and below is their response.

Figure 1: Response From Microsoft Security Response Center

The list of Microsoft Azure datacenter IP Ranges is publicly available at the following Microsoft provided link: 

The following figure displays some of the IP ranges mentioned in the above link: 

Figure 2: Sample Set of Microsoft Azure DataCenter IP Ranges

The tool we used to test this vulnerability is available at the following link: 

In the figure below we can see the output for some sample IPs tested using this tool: 

Figure 3: Output of Sample IPs tested for CVE-2019-0708

What Should You Do?

Since Microsoft has already released their advisory for this vulnerability, and because there are several Azure datacenter IPs vulnerable to it, the question arises as to who is responsible for patching these systems?

Microsoft has stated that they are not responsible for updating the DataCenter IPs currently in use by Azure Service Customers, and since several of those IPs and organizations are currently vulnerable to the critical BlueKeep vulnerability, vulnerable organizations can try the following solutions.

Current Solution:

All users with vulnerable versions of Windows OS’s are encouraged to patch their systems immediately. Additionally, individual organizations could safeguard themselves using the Fortinet IPS solution, which would act as a virtual patch against not only this vulnerability, but also several others.

Organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the following signature:

MS.Windows.RDP.Channel.MS_T120.Remote.Code.Execution

Note: Also, it is important to understand that this article not only applies to Microsoft Azure customers—other cloud providers and their customers may also be equally impacted.  

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.