Hello, welcome to the Thursday, May 23rd, 2019 edition of the Science and It Storms,

Sturmcast. My name is Johannes Orich.

I'm recording from Jacksonville, Florida.

I put together a quick update regarding the Blue Keep RDP vulnerability.

That's CVE 2019 0708 and they're really

sort of two points I want to make in this blog post first of all don't they

put too much trust into the IDS signatures that have been published so far.

RDP is usually used over TLS and the part of the exploit that these signatures look for is

typically encrypted. So these signatures will probably not detect any exploit attempts.

Also all the current proof of concept and scanner exploits

out there, they all take advantage of TLS. Actually turns out at least in Windows 7 I

played with this quite a bit today, it's pretty hard to turn off TLS. So you should assume

that all RDP connections in your network are

using TLS. The second part that hasn't been mentioned often is network level authentication. That's

an authentication option that you have with RDP. It's sort of suggested when you are setting it up in Windows 7 and

later, but has some problems. It, for example, doesn't allow you to change your password if you

have to change the password as you're logging in, then you kind of have this catch 22 there.

Also in Windows XP, and I hope you don't have Windows XP RDP exposed anymore it may be more

difficult to set it up but the big difference with network level authentication is

that the authentication happens before the protocol details are negotiated.

So this way the exploit will no longer work unless the attacker has a valid username and

password.

...