Bluegate DOS/RCE

Hi all, I’m looking into a few detection ideas around the Remote Desktop Gateway RCE vulns
CVE-2020-0609 and CVE-2020-0610 (AKA Bluegate). These vulns are exposed on UDP Port 3391 (DTLS), which is essentially a speedup of RDP. Given it’s DTLS, zeek logs all connections happily into ssl.log, including JA3.
YMMV but one detection method is to look for (JA3=2e29256489ce9efe000820389e24b2fd OR JA3=698698ef3647fddcc035694ba0878bf2) AND UDP 3391. These are the JA3 of the tools noted below.
Another method is to baseline a known list of JA3. You could do this methodically, or take the pragmatic approach and just list what JA3 connected to your server on DTLS/3391 server prior to the CVE and then look for anything JA3 that is nett new.
There are other ways to detect this as well, and I’m interested if anyone is looking into these bugs, and particularly if you are running RDG legit - could you contact me to chat about the sort of legit traffic you see (pcap snippets would be great but a chat is good too)

Attack/scanning toolsets currently publicly available (list not exhaustive):

  1. operates in “checking mode” and “DOS” mode.
  2. an RCE demo has been published but tool not publically available yet.
  3. Check and DOS mode
  4. Check mode only

Ben Reardon