Kevin Beaumont: Still no sign of BlueKeep in the wild

Topic

New Reply

In case you were wondering, Kevin Beaumont hasn’t yet detected any BlueKeep infections: https://twitter.com/GossiTheDog/status/1151510296302931969 Goo
[See the full post at: Kevin Beaumont: Still no sign of BlueKeep in the wild]

2 users thanked author for this post.

SueW, Elly

Reply | Quote

Replies

woody wrote:

In case you were wondering, Kevin Beaumont hasn’t yet detected any BlueKeep infections:

Why Microsoft’s BlueKeep Bug Hasn’t Wreaked Havoc—Yet | WIRED      Further information on BlueKeep.

2 users thanked author for this post.

woody, b

Reply | Quote

I got a question and this might be the best place to put it.

 

First BlueKeep is CVE 2019-0708

https://en.wikipedia.org/wiki/BlueKeep

https://www.bleepingcomputer.com/news/security/bluekeep-remote-desktop-exploits-are-coming-patch-now/

https://answers.microsoft.com/en-us/windows/forum/all/how-install-bluekeep-patch-for-windows-7/e1582d6b-9669-408c-a58f-0f7c7c1be651

I am now going to explain why that is important. Here is ms advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Using Windows 7 Sp1 32 bit as example. The Kb’s are 4499164 and 4499175.

Starting with 4499175. https://support.microsoft.com/en-us/help/4499175/windows-7-update-kb4499175

Note this line:

“Provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as Microarchitectural Data Sampling, for 64-Bit (x64) versions of Windows (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions).”

First this is talking about 64 bit not 32bit. Second no mention of CVE 2019-0708 (BlueKeep)

Same in 4499164: https://support.microsoft.com/en-us/help/4499164/windows-7-update-kb4499164

Also let check security only for 64 bit. which are the same exact KB’s

One more part

the page has this:  “For more information about the resolved security vulnerabilities, please refer to the Security Update Guide.” Lets do that:

https://portal.msrc.microsoft.com/en-us/security-guidance

Searching that page again has no mention of CVE 2019-0708. I checked the listed under

March https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/ac45e477-1019-e911-a98b-000d3a33a34d

April https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/18306ed5-1019-e911-a98b-000d3a33a34d

May https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/e5989c8b-7046-e911-a98e-000d3a33a34d

June https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/253dc509-9a5b-e911-a98e-000d3a33c573

and July https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/48293f19-d662-e911-a98e-000d3a33c573

If this was really patched, why no mention above in either the Security Update Release notes or KB pages?

Reply | Quote

Good question… and I don’t know the answer.

Perhaps someone else here knows more of the details?

Reply | Quote

Steve S wrote:

If this was really patched, why no mention above in either the Security Update Release notes or KB pages?

It is mentioned here with list of updates including Win7 32bit kb4499164 & kb4499175

CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability
Security Vulnerability
Published: 05/14/2019
MITRE CVE-2019-0708

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Reply | Quote

[Steve S]

You might be missing the question. BlueKeep is a big Deal. Yes I agree you can find it there, but the KB pages you think would also mention it and the Security Updates notes, it definitely should be there. Yes I see this

“The following CVEs have FAQs with additional information and may include * further steps to take after installing the updates. Please note that this is not a complete list of CVEs for this release.”.

But again notice what the security update notes are suppose to be

“For more information about the resolved security vulnerabilities, please refer to the Security Update Guide.”

as big a deal at BlueKeep is IT Should be in the Security update guide. Please find it there.

(as in notes of security patches, not general like you did.)

Also the KB’s mention some CVE, but CVE 2019-0708 is not there.

The point is why is such a Big deal not mentioned where it should be. If a users want to confirm that, yes this does patch BlueKeep, if it is not listed in the KB or the notes, how would they know for sure that, yes this is the right patch?

 

• This reply was modified 4 years, 2 months ago by Steve S.
• This reply was modified 4 years, 2 months ago by Steve S.

Reply | Quote

[Speccy]

Perhaps the answer you’re looking for lies within the Acknowledgments webpage: CVE-2019-0708 refers the UK’s National Cyber Security Centre (NCSC).

• This reply was modified 3 years, 9 months ago by Speccy. Reason: Edited (irrelevant, off-topic info removed)

Reply | Quote

from 0 patch https://twitter.com/0patch

Quote”So while we haven’t seen massive #BlueKeep attacks yet, this modified Metasploit module got published for DOSing a range of IP addresses with BlueKeep. It now only takes one troubled soul to launch this against the Internet. Please patch or @0patch if you haven’t yet!”

And as NSA is also pushing you patch, maybe, just maybe the patch is a back door(?)

https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/

3 users thanked author for this post.

Speccy, columbia2011, woody

Reply | Quote