Governance & Risk Management , Legacy Infrastructure Security , Patch Management
Weaponized BlueKeep Exploit ReleasedMetasploit: Release Intended to Call Attention to Urgent Need to Patch Vulnerability
See related story: Software Bugs: Gotta Catch 'Em All?
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
A new weaponized exploit for the so-called BlueKeep vulnerability in certain versions of the Windows operating system has been released by security researchers at Rapid7 and Metasploit, the open source penetration testing framework.
The goal of releasing the exploit, researchers say, is to help users better understand the types of attacks that this Windows vulnerability can allow if left unpatched, as well as the steps security teams can take to minimize the risk and mitigate these issues.
The researchers argue it's better to release a test exploit for BlueKeep than to keep these types of proof-of-concept attacks private as other security vendors have done because it helps call attention to the hundreds of thousands of systems that have not been patched against this vulnerability.
"As an open-source project, one of Metasploit's guiding principles is that knowledge is most powerful when shared. Democratic access to attacker capabilities, including exploits, is critical for defenders - particularly those who rely on open-source tooling to understand and effectively mitigate risk," Rapid7 says in a blog post.
Rapid7 owns the Metasploit framework.
The exploit was developed by two Metasploit contributors, Ryan Hanson and another researcher who goes by the handle "Zerosum0x0." The two posted the exploit on GitHub Friday. They note that unlike other proof-of-concept exploits using the BlueKeep vulnerability, their version is capable of achieving arbitrary code execution within 64-bit versions of Windows 7 and Windows Server 2008 R2.
BlueKeep via SMBLoris + IP Frags https://t.co/PgblGfBIC2— zǝɹosum0x0 (@zerosum0x0) September 6, 2019
Bluekeep, which is also referred to as CVE-2019-0708, is a potential wormable vulnerability found in the remote desktop protocol feature in older versions of the Windows operating system. If exploited, an attacker could remotely access other vulnerable computers across an entire network and push malware across the entire infrastructure in much the same way the WannaCry ransomware spread in 2017 (see: Sophos Proof-of-Concept Exploit Shows Dangers of BlueKeep).
The BlueKeep vulnerability is present in older, unpatched versions of Windows including Windows XP, Windows 2003, Windows 7, Windows Server 2008, and Windows Server 2008 R2. Newer versions, such as Windows 8 and Windows 10, are not affected.
Microsoft issued a patch for BlueKeep in May, and the company - along with several U.S. government agencies - has issued numerous warnings about the flaw (see: DHS Is Latest to Warn of BlueKeep Vulnerability).
Although other researchers have released BlueKeep exploit code, this is the first time that a weaponized version has been made available.
In June, for example, Zerosum0x0 released a video demonstrating a full takeover of a vulnerable Windows machine within 22 seconds. The researcher, however, refrained from publishing the full code at the time fearing a wider security breach (see: Researcher Posts Demo of BlueKeep Exploit of Windows Device ).
Since Microsoft issued its first warnings about BlueKeep, several proof-of-concept exploits using the vulnerability have been released by key security research firms and independent researchers, but none have been weaponized until this point.
Zerodium, Kaspersky, Check Point, MalwareTech and Valthek have also developed private exploits for BlueKeep to demonstrate how unpatched systems are susceptible to this flaw.
Now that BlueKeep RCE is out, I'm publishing my old RCE write up.https://t.co/DAADJuF4iW— MalwareTech (@MalwareTechBlog) September 6, 2019
Exploit Is Limited
The security researchers at Metasploit note that malicious activity connected to the vulnerability remains low and, so far, no exploits in the wild have been detected.
And while Metasploit released its exploit that can achieve the arbitrary code execution, the researchers put several limits it. For instance, this exploit only works with Windows 7 and Windows Server 2008 R2. Plus, a user would need to manually input a specific target to test, meaning that there is no automation and it cannot jump from machine to machine.
"Users should also note that some elements of the exploit require knowledge of how Windows kernel memory is laid out, which varies depending on both OS version and the underlying host platform (virtual or physical); the user currently needs to specify this correctly to run the exploit successfully," according to the Rapid7 blog post.
Despite some of the limits of the exploit, Richard Gold, the head of security engineering at security vendor Digital Shadows, tells Information Security Media Group that his team tested it on a Windows 7 PC and it allowed remote access of the systems. Gold also says that the Microsoft patch for the vulnerability worked as well.
"The exploit not only gives the attacker remote access to a target system, but also gives the attacker the highest level of privilege on the target," Gold says. "Applying the vendor patch from Microsoft did mitigate the attack and Digital Shadows recommends patching any remaining vulnerable machines as soon as possible."
Despite the warnings from Microsoft and government agencies, many organizations have been slow to patch for BlueKeep.
In May, security research firm Errata Security estimated that more than 1 million exposed nodes were susceptible to BlueKeep attack worldwide.
Other security firms, such as Bitsight, put the number closer to 800,000 systems unpatched as of July (see: Despite BlueKeep Warnings, Many Organizations Fail to Patch).