[German]The blog post discusses a How To the question of how end users and administrators can easily check whether their systems with Windows XP to Windows 7 as well as their server counterparts are provided with a patch for the critical vulnerability BlueKeep (CVE-2019-0708) or are vulnerable. In addition, a brief explanation of how a network can be scanned for vulnerable computers is given.
BlueKeep: Some basic information
In Windows XP to Windows 7 and its server counterparts, there is a critical vulnerability called BlueKeep (CVE-2019-0708) that may be used to hijack systems. Windows 8 and later systems are not vulnerable to the BlueKeep vulnerability.
Microsoft has provided security updates for closing this vulnerability for affected Windows systems since May 14, 2019 – even for versions that have long fallen out of support, such as Windows XP (see my blog post Critical update for Windows XP up to Windows 7 (May 2019) and BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor). So the vulnerability seems to be critical, and Microsoft warn against running systems without installed security updates (see BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia). Also US-CERT issued a warning with advices how to secure systems beside patching:
- Block TCP port 3389 on your firewalls, especially on all firewalls exposed to the Internet. This port is used in the RDP protocol and blocks attempts to establish a connection.
- Enable authentication at the network level (see my blog post Assign network level authentication w/o Group Policies). This security enhancement requires that attackers have valid credentials to perform remote code authentication.Disable Remote Desktop Services if they are not needed. Disabling unused and unneeded services helps reduce overall vulnerability exposure and is a best practice even without the BlueKeep threat.
Security researchers have nevertheless recently found over 950,000 vulnerable Windows systems without the required security update that can be accessed via the Internet during a scan (see Nearly 1 million Windows machines with BlueKeep vulnerability). I had reported extensively on this here in the blog (see link list at the end of article)
So it's a grotesque situation: security updates are available, countermeasures and the risk of an attack are known, but people don't patch or react. However, some users fail to quickly check whether the updates required to close the BlueKeep vulnerability are installed. Microsoft has little to offer – corporate administrators need to know how to check this. Due to questions and discussions here in the blog I decided to provide the following information.
Am I actually in danger?
First question that many users might ask themselves: Do I really have to assume that I am at risk? Microsoft provides updates for Windows XP to Windows 7 and their server counterparts. But the question 'Are home users also affected?' came up relatively quickly in the blog, and it was noted that a machine hanging behind a firewall that blocks certain ports for the Remote Desktop Protocol (RDP) is not vulnerable to Internet attacks.
In first approximation one can assume that there should be no endangerment in the area of home users. The most vulnerable are Windows servers, on which a remote desktop server has been set up to handle incoming requests. Talos has also published the security article Using Firepower to defend against encrypted RDP attacks like BlueKeep, which explains that in Windows 7 you probably have to overcome several hurdles to be vulnerable.
In first approximation one can assume that there should be no endangerment in the area of home users. The most vulnerable are Windows servers, on which a remote desktop server has been set up to handle incoming requests. There is also the security article from Talos which explains that in Windows 7 you probably have to overcome several hurdles in order to be vulnerable. But if Microsoft provides a security update, you should also install it.
Is the BlueKeep security update installed?
The easiest way to check if there is a risk regarding BlueKeep is to check if the required security update is installed. To do this, you could view the history of installed Windows updates.
Check your update history
To view the Windows update history, try the following steps, to check whether the required update is is available.
1. Type 'Updates' into the search box of the start menu and select the entry to show 'View update history'. Or invoke the control panel, go to Windows Update an click View update history (see here).
2. Type into the Search Control Panel of the View update history windows the kb number required.
[Search for installed updates (Windows 7)]
If the update is listed there, you don't need to do anything. If the update is also missing there, simply download the relevant package from Microsoft and install it manually. If the update already exists, the second installation will probably be rejected with a corresponding hint. Below is alist of security updates to mitigate the BlueKeep vulnerability.
Windows XP: KB4500331
Windows Server 2003 SP2: KB4500331
Windows Vista: KB4499149 or KB4499180
Windows Server 2008 SP1: KB4499149 or KB4499180
Windows 7 SP1: KB4499164 or KB4499175
Windows Server 2008 R2: KB4499164 or KB4499175
Use a batch file to check the local system
German blog reader Bernhard M. has send me two small batch files he used to check a local system for required updates (thanks). I've modifies on batch file in a way, that it checks, if one of the necessary security updates is installed. It should work for Windows XP up to Windows 7 and the Server pendants.
REM *******************************************************
REM BlueKeep Update Check version 1.2
REM Info: https://borncity.com/blog/?p=218795
REM *******************************************************
REM *******************************************************
REM BlueKeep Update Check Version 1.2
REM Info: https://borncity.com/blog/?p=218795
REM *******************************************************
@ECHO OFF
CLS
ECHO BlueKeep Update Check Version 1.2
ECHO ————————————————–
ECHO.
ECHO Check for installede BlueKeep security udpates
ECHO More info at: https://borncity.com/blog/?p=218795
ECHO.
ECHO List of available BlueKeep security updates
ECHO.
ECHO Windows XP: KB4500331
ECHO Windows Server 2003 SP2: KB4500331
ECHO Windows Vista: KB4499149 or KB4499180
ECHO Windows Server 2008 SP1: KB4499149 or KB4499180
ECHO Windows 7 SP1: KB4499164 or KB4499175
ECHO Windows Server 2008 R2: KB4499164 or KB4499175
ECHO.
ECHO Depending on the version of Windows, a security update must
ECHO be installed. Please wait until the audit is completed. If no
ECHO packet is reported, the BlueKeep security update is missing.
ECHO.
REM ### Try to detect the operating system version
REM Windows XP?
ver | find "5.1" > nul
if errorlevel = 1 goto next0
if errorlevel = 0 echo Windows XP found
goto end1
:next0
ver | find "6.0" > nul
if errorlevel = 1 goto next1
if errorlevel = 0 echo Windows Vista found
goto end1
:next1
ver | find "6.1" > nul
if errorlevel = 1 goto next2
if errorlevel = 0 echo Windows 7 (or Server Pendant) found
goto end1
:other
REM Windows Server 2003 (?) or earlier Windows
ECHO Can't detect the Windows version
:end1
REM ### Check, if BlueKeep update is found
SETLOCAL
wmic qfe > %TEMP%\check-updates.txt
REM *** Windows XP: KB4500331
type %TEMP%\check-updates.txt | findstr KB4500331
REM *** Windows Server 2003 SP2:
type %TEMP%\check-updates.txt | findstr KB4500331
REM *** Windows Vista: KB4499149 oder KB4499180
type %TEMP%\check-updates.txt | findstr KB4499149
type %TEMP%\check-updates.txt | findstr KB4499180
REM *** Windows Server 2008 SP1: KB4499149 or KB4499180
type %TEMP%\check-updates.txt | findstr KB4499149
type %TEMP%\check-updates.txt | findstr KB4499180
REM *** Windows 7 SP1/Windows Server 2008 R2: KB4499164 or KB4499175
type %TEMP%\check-updates.txt | findstr KB4499164
type %TEMP%\check-updates.txt | findstr KB4499175
REM Delete temporary file
del %TEMP%\check-updates.txt
REM Wait, until the user press a key
@Pause
Select the instructions above, copy them to the clipboard using Ctrl+c, open the Windows Editor Notepad.exe and paste the clipboard with the Ctrl+v key combination. Save the document into a file BlueKeep-Check.bat.
If this file is executed by double-clicking, the command wmic qfe determines the installed updates and saves the result in a text file. This text file is then simply searched for the required updates with findstr. The results will be reported afterwards (see following image).
The interpretation of the results is quite simple: If no update is reported during this check, it is missing and the computer is not protected against BlueKeep. If an update is reported (as in the picture above), the patch is installed. It is a quick-and-dirty solution, which I tested only briefly under Windows 7 SP1. But it should also work under Windows XP, Vista and its server counterparts. Only the check for the Windows version (introduced in version 1.2 of this batch file) may fail to detect Windows Server 2003 (or similar).
Network scan for vulnerable systems
Administrators who maintain larger installations, even with servers running the Remote Desktop Service, need a better testing method. There it is the question: Can a computer be reached from the Internet or via a network by RDP and is it vulnerable due to a missing update?
There is a script-based scanner by Kevin Beaumont in a Docker container. But I simply consider this solution to be too complexto be used quickly and easily. Rather for large corporate environments, where you test the network and have an infrastructure with docker containers anyway.
A second program for scanning networks for the BlueKeep vulnerability is by David Graham and is called rdpscan. David Graham published the source code as a Visual Studio project on GitHub. And I found the GitHub page of Graham, where he offers precompiled binary versions of the program for Windows and macOS. On his blog (deleted) there is a Linux version for download and a description. Use program is from a command prompt window as:
rdpscan 192.168.1.1-192.168.1.1.255
The IP address should correspond to the network address space to be checked. The IP address of the own system can be determined with the command ipconfig /all in the command prompt.
The tool knows three results which can be displayed as single-line messages in the command prompt window.
- VULNERABLE if an RDP connection can be established and the update is not available, i.e. the system is vulnerable
- SAFE if an RDP connection can be established and the update is found, so the accesses are probably secure
- UNKNOWN if no RDP connection can be established
During my test under Windows 10 and Windows 7, where no Remote Desktop Service is running, I got the message 'UNKNOWN – no connection – timeout', because the service did not respond.
Of course, you don't know if it's because you entered a wrong IP address or if the computer doesn't provide a remote desktop service that can be reached via the network. But I think that experienced administrators can rule out other causes or test against a working RDP server. Together with the BlueKeep-Update-Check above you should make some progress. Maybe it will help you. If you have any comments or suggestions, please leave a comment.
Addendum 06/11/2029: Bleeping Computer just published this articles that has some additional details about rdpscan.
Similar articles
A threat actor scans Windows systems for BlueKeep vulnerability
BlueKeep: Windows Remote Desktop Services vulnerability exploits status
Critical update for Windows XP up to Windows 7 (May 2019)
Nearly 1 million Windows machines with BlueKeep vulnerability
BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia
BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor
It seems that next2 is missing
Fixed version of the batch file (make sure you change the " 's to standard quotation marks in your batch file:
=============================================
REM *******************************************************
REM BlueKeep Update Check version 1.2
REM Info: https://borncity.com/blog/?p=218795
REM *******************************************************
REM *******************************************************
REM BlueKeep Update Check Version 1.2
REM Info: https://borncity.com/blog/?p=218795
REM *******************************************************
@ECHO OFF
CLS
ECHO BlueKeep Update Check Version 1.2
ECHO ————————————————–
ECHO.
ECHO Check for installede BlueKeep security udpates
ECHO More info at: https://borncity.com/blog/?p=218795
ECHO.
ECHO List of available BlueKeep security updates
ECHO.
ECHO Windows XP: KB4500331
ECHO Windows Server 2003 SP2: KB4500331
ECHO Windows Vista: KB4499149 or KB4499180
ECHO Windows Server 2008 SP1: KB4499149 or KB4499180
ECHO Windows 7 SP1: KB4499164 or KB4499175
ECHO Windows Server 2008 R2: KB4499164 or KB4499175
ECHO.
ECHO Depending on the version of Windows, a security update must
ECHO be installed. Please wait until the audit is completed. If no
ECHO packet is reported, the BlueKeep security update is missing.
ECHO.
REM ### Try to detect the operating system version
REM Windows XP?
ver | find "5.1" > nul
if errorlevel = 1 goto next0
if errorlevel = 0 echo Windows XP found
goto end1
:next0
ver | find "6.0" > nul
if errorlevel = 1 goto next1
if errorlevel = 0 echo Windows Vista found
goto end1
:next1
ver | find "6.1" > nul
if errorlevel = 1 goto other
if errorlevel = 0 echo Windows 7 (or Server Pendant) found
goto end1
:other
REM Windows Server 2003 (?) or earlier Windows
ECHO Can't detect the Windows version
:end1
REM ### Check, if BlueKeep update is found
SETLOCAL
wmic qfe > %TEMP%\check-updates.txt
REM *** Windows XP: KB4500331
type %TEMP%\check-updates.txt | findstr KB4500331
REM *** Windows Server 2003 SP2:
type %TEMP%\check-updates.txt | findstr KB4500331
REM *** Windows Vista: KB4499149 oder KB4499180
type %TEMP%\check-updates.txt | findstr KB4499149
type %TEMP%\check-updates.txt | findstr KB4499180
REM *** Windows Server 2008 SP1: KB4499149 or KB4499180
type %TEMP%\check-updates.txt | findstr KB4499149
type %TEMP%\check-updates.txt | findstr KB4499180
REM *** Windows 7 SP1/Windows Server 2008 R2: KB4499164 or KB4499175
type %TEMP%\check-updates.txt | findstr KB4499164
type %TEMP%\check-updates.txt | findstr KB4499175
REM Delete temporary file
del %TEMP%\check-updates.txt
REM Wait, until the user press a key
@Pause