More than 60,000 Hosts Vulnerable to BlueKeep (CVE-2019–0708) in Latin America, Central America and Spain in the RDP Terminal Server Service

4 min readJul 9, 2019

On May 14, 2019 Microsoft [1] published a vulnerability security patch (CVE-2019–0708) [6] known as BlueKeep that affects the Terminal Server service and could be used by Petya-type Ransomware, Wannacry since the service could be exploited remotely and without the need to use credentials.

For this reason, together with a friend Andres Morales (andresmz), we have conducted a scanning with the academic objective of assessing how vulnerable we are, this study focuses on the CVE-2019–0708 vulnerability to the IP ranges assigned to Central America , South America and Spain, finding that there are more than 63,000 Vulnerable Hosts; To validate the result we have done scanning on different days: 05, 07 and 14 of June. The results are presented in the following graph:

Based on the IPv4 address ranges assigned to Central America, South America and Spain, we show a summary table with the results:

To perform the scanning we have used public sources where the IPv4 ranges assigned to each country are published, such as Lacnic and RIPE [2], where we have the IP addresses version 4, public tools such as masscan [3] and rdpscan [4], both Tools have been written by Robert Graham.

Vulnerable Variable:

To identify which country has the most hosts vulnerable to the CVE-2019–0807 vulnerability and make a relative comparison, we could not take the number of Vulnerable Hosts as we have very large countries like Brazil, Mexico and small ones like Uruguay. For this reason we have defined the following variable based on the information we have obtained:

According to the rdpscan tool [4]:

Vulnerable: It is confirmed that the evaluated host is vulnerable to CVE-2019–0708.
SAFE: It is confirmed that the evaluated host is patched.
Unknown: The RDP service does not respond, there is no assurance that this patched, such as SAFE.

Detailed table by Country:

Finally, we show a detailed picture where the vulnerable average is 25%, however some countries like: Uruguay, Paraguay, French Guiana, Venezuela and Argentina are above 35%.

Table 3: Result by Country, scanning performed on June 14, 2019

Last conclusions:

It is recommended to apply the patch recommended by Microsoft to the affected operating systems [1], if the service is not used, deactivate it, limit its access or block it in the perimeter firewall, do not run the RDP service as Administrator, use the remote access VPN service of the firewall.
The more than 63,000 vulnerable hosts can be used to install Ransomware, Virus / Worms or Cryptojacking, and can even be used to perform lateral movement and infect the entire network using the credentials collected at that first point of contact.
The scan could have a % error since at the time of scanning could have been blocked or mitigated by our cloud provider, Internet link and server capacity, although multiple tests were performed and similar results were obtained.
Not necessarily 100% of hosts with open port 3389/tcp are running the RDP service associated with Terminal Server, some companies could be running another service.
If any CERT / CSIRT requires the list of Vulnerable Hosts at CVE-2019–0708 they could contact Cesar Farro at cesar.farro@gmail.com

Sources: