Metasploit Publishes Working BlueKeep Exploit

September 09, 2019

BlueKeepExperts maintaining the Metasploit open-source framework have added an exploit for the much-discussed BlueKeep vulnerability (CVE-2019-0708), a critical weakness that affects Windows Remote Desktop Protocol (RDP) in older versions of Microsoft Windows. Microsoft has emphasized the dangerous “wormability” of BlueKeep, comparing it to the EternalBlue vulnerability responsible for the WannaCry outbreak of 2017. BlueKeep also allows remote code execution, meaning an attacker could run code arbitrarily on an unpatched system and even gain full control.

Exploiting BlueKeep

There have already been other successful proof-of-concept exploits of BlueKeep, usually defanged or private versions. Metasploit is a project owned by Rapid7, which shares information about exploits and aids in penetration testing, and has published their own exploit module for the vulnerability. The module is publicly available and can allow remote code execution, but it is also somewhat limited. It is designed to only target 64-bit versions of Windows 7 and Windows 2008 R2; also it does not support automatic targeting.

A user of Metasploit’s exploit module needs to manually feed it specifications about the system it wants to target. If the target is incorrect, it will result in a blue screen crash. This checks the “wormability” of the exploit, seeing as it can’t be automated as a self-spreading worm; however, it can be used for targeted attacks. Malicious actors could use the information provided by Metasploit to improve their own tools that leverage BlueKeep.

In a statement to Bleeping Computer, Metasploit senior engineering manager Brent Cook responded to queries on whether threat actors could use the information that Rapid7 revealed, “Metasploit is an open-source exploitation toolkit that can be used by anyone. The information in the exploit module provides further understanding of attack techniques and how to mitigate them. This holds true for every module and technique added to Metasploit Framework. This module particularly benefits defenders who rely on open-source tooling for testing and prioritizing security risks.”

The importance of patching

Microsoft released a patch for BlueKeep in May, but there are still a number of vulnerable Windows users. Government cybersecurity organizations across the world — including the U.S. National Security Agency (NSA), Germany's Federal Office for Information Security (BSI) cyber-security agency, and the National Cyber Security Centre in the U.K. — have emphasized the importance of patching BlueKeep, possibly fearing another WannaCry-level outbreak. Leaving systems vulnerable can be costly and dangerous for enterprises.

[READ: Cybercrime and Exploits: Attacks on Unpatched Systems]

Cybercriminals are known to target even patched vulnerabilities, banking on the fact that many enterprises and users don't patch immediately. A report from Rapid7 on the BlueKeep exploit even notes that there was an uptick in remote desktop protocol (RDP) activity after the publication and reporting of BlueKeep.

Here are some best practices that can help enterprises and users reduce their exposure to BlueKeep and other similar threats:

  • Patch and keep the system and its applications updated (or employ virtual patching to legacy or end-of-life systems).
  • Restrict or secure the use of remote desktop services. For example, blocking port 3389 (or disabling it when not in use), can help prevent threats from initiating connections to systems behind the firewall.
  • Enable network level authentication (NLA) to prevent unauthenticated attackers from exploiting BlueKeep. This can be configured in Windows 7 and Windows Server 2008 (including the R2 version).
  • Enforce the principle of least privilege. Employing security mechanisms like encryption, lockout policies, and other permission- or role-based access controls provide additional layers of security against attacks or threats that involve compromising remote desktops.

The Trend Micro™ Deep Security™ and Vulnerability Protection solutions protect systems and users from threats targeting CVE-2019-0708 via this Deep Packet Inspection (DPI) rule:

  • 1009749 - Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability

Trend Micro™ TippingPoint® customers are protected from threats and attacks that may exploit CVE-2019-0708 via this MainlineDV filter:

  • 35296: RDP: Microsoft Remote Desktop Services Negotiation Request Without CredSSP
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.