Experts maintaining the Metasploit open-source framework have added an exploit for the much-discussed BlueKeep vulnerability (CVE-2019-0708), a critical weakness that affects Windows Remote Desktop Protocol (RDP) in older versions of Microsoft Windows. Microsoft has emphasized the dangerous “wormability” of BlueKeep, comparing it to the EternalBlue vulnerability responsible for the WannaCry outbreak of 2017. BlueKeep also allows remote code execution, meaning an attacker could run code arbitrarily on an unpatched system and even gain full control.
There have already been other successful proof-of-concept exploits of BlueKeep, usually defanged or private versions. Metasploit is a project owned by Rapid7, which shares information about exploits and aids in penetration testing, and has published their own exploit module for the vulnerability. The module is publicly available and can allow remote code execution, but it is also somewhat limited. It is designed to only target 64-bit versions of Windows 7 and Windows 2008 R2; also it does not support automatic targeting.
A user of Metasploit’s exploit module needs to manually feed it specifications about the system it wants to target. If the target is incorrect, it will result in a blue screen crash. This checks the “wormability” of the exploit, seeing as it can’t be automated as a self-spreading worm; however, it can be used for targeted attacks. Malicious actors could use the information provided by Metasploit to improve their own tools that leverage BlueKeep.
In a statement to Bleeping Computer, Metasploit senior engineering manager Brent Cook responded to queries on whether threat actors could use the information that Rapid7 revealed, “Metasploit is an open-source exploitation toolkit that can be used by anyone. The information in the exploit module provides further understanding of attack techniques and how to mitigate them. This holds true for every module and technique added to Metasploit Framework. This module particularly benefits defenders who rely on open-source tooling for testing and prioritizing security risks.”
Cybercriminals are known to target even patched vulnerabilities, banking on the fact that many enterprises and users don't patch immediately. A report from Rapid7 on the BlueKeep exploit even notes that there was an uptick in remote desktop protocol (RDP) activity after the publication and reporting of BlueKeep.
Here are some best practices that can help enterprises and users reduce their exposure to BlueKeep and other similar threats:
Patch and keep the system and its applications updated (or employ virtual patching to legacy or end-of-life systems).
Restrict or secure the use of remote desktop services. For example, blocking port 3389 (or disabling it when not in use), can help prevent threats from initiating connections to systems behind the firewall.
Enforce the principle of least privilege. Employing security mechanisms like encryption, lockout policies, and other permission- or role-based access controls provide additional layers of security against attacks or threats that involve compromising remote desktops.