More than 60,000 Hosts Vulnerable to BlueKeep (CVE-2019–0708) in Latin America, Central America and Spain in the RDP Terminal Server Service

On May 14, 2019 Microsoft [1] published a vulnerability security patch (CVE-2019–0708) [6] known as BlueKeep that affects the Terminal Server service and could be used by Petya-type Ransomware, Wannacry since the service could be exploited remotely and without the need to use credentials.

For this reason, together with a friend Andres Morales (andresmz), we have conducted a scanning with the academic objective of assessing how vulnerable we are, this study focuses on the CVE-2019–0708 vulnerability to the IP ranges assigned to Central America , South America and Spain, finding that there are more than 63,000 Vulnerable Hosts; To validate the result we have done scanning on different days: 05, 07 and 14 of June. The results are presented in the following graph:

Based on the IPv4 address ranges assigned to Central America, South America and Spain, we show a summary table with the results:

To perform the scanning we have used public sources where the IPv4 ranges assigned to each country are published, such as Lacnic and RIPE [2], where we have the IP addresses version 4, public tools such as masscan [3] and rdpscan [4], both Tools have been written by Robert Graham.

Vulnerable Variable:

To identify which country has the most hosts vulnerable to the CVE-2019–0807 vulnerability and make a relative comparison, we could not take the number of Vulnerable Hosts as we have very large countries like Brazil, Mexico and small ones like Uruguay. For this reason we have defined the following variable based on the information we have obtained:

According to the rdpscan tool [4]:

According to the rdpscan tool [4]:

Detailed table by Country:

Finally, we show a detailed picture where the vulnerable average is 25%, however some countries like: Uruguay, Paraguay, French Guiana, Venezuela and Argentina are above 35%.

Table 3: Result by Country, scanning performed on June 14, 2019

Last conclusions:

Sources:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

https://www.lacnic.net/3106/2/lacnic/ip-geolocation

ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-extended-latest

ftp://ftp.lacnic.net/lacnic/dbase/lacnic.db.csv.gz

https://github.com/robertdavidgraham/masscan

https://github.com/robertdavidgraham/rdpscan

https://github.com/robertdavidgraham

https://www.cvedetails.com/cve/CVE-2019-0708/

Authors:

Annex — Evidence from the study carried out:

Ranges used by LACNIC (Latin America and the Caribbean) and RIPE (used for the case of Spain):

Hosts with port 3389 / tcp open, where it is frequently used by the RDP Terminal Server service:

Vulnerable hosts CVE-2019–0708 by country on June 14, 2019:

Example of Vulnerable Hosts, SAFE and Unkonwn:

Example of vulnerable Hosts CVE-2019–0708

Blog de Ciberseguridad, Hacking, Recomendaciones de Protección y Buenas Practicas para las Empresas.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store