This AssetView Dashboard will enable you to get instant visibility on CVE-2019-0708 (QID:91534) Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability.
We all know how busy, and the amount of work as security professionals we encounter daily given its an ever-changing environment. That is where Qualys can provide the ability for quick dashboarding and views to key indicators to assist and prioritize your remediation work. #VisualizeDataNotCSVs #BlueKeep #AgentStackConsolidation
What are the of End-of-life software (EOL), Operating Systems affected by CVE-2019-0708 ?
Microsoft Windows Server 2008 R2 Operating System Detected
Microsoft Windows Server 2008 Core Operating System Detected
Microsoft Windows Server 2008 Operating System Detected
Microsoft Windows 7 Operating System Detected
Microsoft Windows XP
Microsoft Windows 2003
What makes CVE-2019-0708 Risky?
This vulnerability allows an unauthenticated attacker (or malware) to execute code on the vulnerable system.
How to quickly detect and remediate all in one single solution? #AgentStackConsolidation
This QID is included in signature version VULNSIGS-2.4.606-3, and requires authenticated scanning or the Qualys Cloud Agent. Cloud Agents will automatically receive this new QID as part of manifest version 2.4.606.3-2.
The benefits of the Qualys Cloud Agent over Authenticated Scanning:
Continuously monitor assets for the latest Operating System, Application, and Certificate vulnerabilities
Track missing critical patches on each device in real time
- Patch and remediate systems no matter where they reside in the world with our new revolutionary Qualys Patch Management
No credential / Authentication record management or complex firewall profiles needed—only requires outbound encrypted communications over a single port to the Qualys Cloud Platform
Combine network scans with Cloud Agents for devices where it is not practical to install agents—firewalls, routers, etc.
Qualys Cloud Agents brings the new age of continuous monitoring capabilities to your Vulnerability Management program. This eliminates the need for establishing scanning windows, managing credential manually or integrations with credential vaults for systems, as well as the need to actually know where a particular asset resides. "Consolidate your security stack with the Qualys Cloud Agent!" #AgentStackConsolidation
The following mitigation may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave Remote Desktop Services disabled:
1. Disable Remote Desktop Services if they are not required. If you no longer need these services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.
The following workarounds may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave these workarounds in place:
1. Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.
2. Block TCP port 3389 at the enterprise perimeter firewall: TCP port 3389 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.
List QIDs associated with BlueKeep:
QID: 91534 - Windows RDP Remote Code Execution Vulnerability (BlueKeep)
QID: 91541 - Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (BlueKeep) (unauthenticated check)
BlueKeep Unauthenticated check Update:
Qualys released a new unauthenticated check to address Bluekeep vulnerability under QID:
QID 91541: Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (BlueKeep) (unauthenticated check)
This QID is included in scanner version 11.2.35 and vulnerability signature version VULNSIGS-2.4.620-x.
Scanner version update (11.2.35) is required for this new QID. For Windows 7 and above operating systems, QID may not post as vulnerable, if service is not identified as RDP over port 3389. However, authenticated check (QID 91534) will post the vulnerability for all affected Operating Systems.
BlueKeep Authenticated check Update:
Qualys has issued a special QID (91534) for Qualys Vulnerability Management that covers only CVE-2019-0708 across all impacted Operating Systems, including Windows XP and Server 2003. This QID is included in signature version VULNSIGS-2.4.606-3, and requires authenticated scanning or the Qualys Cloud Agent. Cloud Agents will automatically receive this new QID as part of manifest version 2.4.606.3-2.
Dashboard Demonstration Images: New
Query to create WorkAround Widget:
Title: Workaround - QID:45379 - Network Level Authentication (NLA)
Query to create Mitigation Widget:
Title: VULN - CVE-2019-0708 & TERMService - NOT Running
Query: vulnerabilities.vulnerability.qid:91534 and not (services:(name:TermService and status:RUNNING) or vulnerabilities.vulnerability.qid: 45381)
Title: VULN - CVE-2019-0708 & TERMService - Running
Query: vulnerabilities.vulnerability.qid:91534 and (services:(name:TermService and status:RUNNING) or vulnerabilities.vulnerability.qid: 45381)
How to Enable Trending on the widgets:
Open the desired widget in edit mode and select the Collect trend data check box.
Qualys - Training Videos:
Self-Paced Class: Vulnerability Management Asset Tags
Self-Paced Class: AssetView and Threat Protection
POD - 1 - Apply Tags to Organize Your Assets
POD - 2 - Apply Tags to Organize Your Assets
POD - 3 - Apply Tags to Organize Your Assets
Looking for additional Qualys Documentation use the Resource link in the Qualys Portal (Help > Resources)
Related community Post:
Dashboard Toolbox - Asset View: How To - Import a Dashboard json
Additional AssetView Dashboards:
Dashboard Toolbox - Asset View: How To - Import a Dashboard json
- - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - - - - - - - - - - - - -
Dashboard Toolbox - AssetView: Performance Management (v1.1)
Dashboard Toolbox - AssetView: Host Scan Time Management (v1.1)
Dashboard Toolbox - AssetView: Scanning Activity Management (v1.0)
Dashboard Toolbox - AssetView: Open Ports Management & RTI (v1.0)
Dashboard Toolbox - AssetView: Windows Authentication Management (v1.4)
WARNING: Read Before Downloading
Dashboard and Widget JSON files are not interchangeable between application dashboards. AssetView JSON files may only be used in AssetView and Vulnerability Management JSON files may only be used in Vulnerability Management. If you make a mistake and import a JSON file from one application into the other, you must contact Qualys Support to have the error corrected in the database for your subscription. Again, there is no way to reverse this mistake within the UI, it must be done in the database.
fjimenez This page contains information to create a Scorecard dashboard leveraging data in your Qualys Vulnerability Management subscription. This dashboard is part of AssetView Dashboard Program. If you have any questions regarding the content, please comment below or Contact Support - Technical Assistance Inquiry Form | Qualys, Inc.
Back to Dashboarding and Reporting