Microsoft has warned companies to patch older versions of Windows against a severe vulnerability in the Remote Desktop Protocol (RDP) service that can be abused remotely, and which the company has likened to the EternalBlue exploit that fueled the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks.
Rob Graham of Errata Security claimed today he has already found nearly one million unpatched boxes exposed on the internet. Specifically, Graham said he was able to, over the course of a few hours, find some 932,671 public-facing computers still vulnerable to CVE-2019-0708. To do this, he scanned the public internet for machines that had the Windows Remote Desktop network port (3389) open, using his masscan tool, and against those 7,629,102 matching machines, he ran a second script that sniffed out whether each box was running a vulnerable version of the service.
Some 932,671 were found running vulnerable Windows RDP services, 1,414,793 systems were patched, 1,235,448 were protected by additional CredSSP/NLA security checks, 82,836 were found to be running HTTP servers on port 3389 and thus not vulnerable, and the rest either timed out or the connection failed in some way.
“The upshot is that these tests confirm that roughly 950,000 machines are on the public internet that are vulnerable to this bug,” Graham said. “Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines.”
The good news is that Windows 10 and Windows 8 systems are protected from the flaw, and the vulnerability only works on machines with Remote Desktop Service turned on. So consumers are probably less affected.
Download patches for Windows 7 and Windows 2008 and Windows 2003 and Windows XP.