Coders late last week publicly released a working exploit for the dangerous Bluekeep bug that was found and patched earlier this year in Microsoft’s Remote Desktop Protocol implementation.
Designated as CVE-2019-0708, BlueKeep is a remote Windows kernel use-after-free vulnerability that could be used to create wormable attacks similar to the WannaCry ransomware incident of May 2017.
Published on GitHub by the Metasploit Project – a pen-testing framework developed in a collaboration between security company Rapid7 and open-source researchers – the exploit module currently targets 64-bit versions of Windows 7 and Windows 2008 R2.
Metasploit's goal is to spread knowledge of security vulnerabilities and exploits, which in turns helps organizations defend themselves. On the flip side, actors with malicious intentions also have access to its content, which means this kind of working exploit could give adversaries the resources they need to carry out a successfully BlueKeep-fueled attack.
"As an open-source project, one of Metasploit’s guiding principles is that knowledge is most powerful when shared," wrote Brent Cook, engineering manager for Metasploit, in a Sept. 6 Rapid7 blog post. "Democratic access to attacker capabilities, including exploits, is critical for defenders, particularly those who rely on open-source tooling to understand and effectively mitigate risk."
Cook said that the Metasploit vulnerability builds on previous proof-of-concept code submitted by key contributor "@zerosum0x0," but adds an improved general purpose RDP protocol library and enhanced RDP fingerprinting functionality. The blog post credited 10 specific researchers with developing the module, but notes that others contributed as well. Metasploit is now looking for additional users to "test, verify, and extend reliability across target environments," Cook continued.
In its current form, the exploit can identify the targeted operating system's version and assesses if the target is likely vulnerable. But the attacker must still manually input target details, as this process is not automated. Also, certain scenarios – including an interruption in exploitation or when an incorrect target is specified – will result in an unwanted crash with a bluescreen, the blog post stated.
Rapid7 noted that defenders whose network IDS/IPS systems are configured to flag BlueKeep vulnerability scanners will likely be able to detect this particular exploit. Additionally, host-based IDS/IPS systems should be on the lookout for a particular indicator of compromise that is similar in nature to EternalBlue, the Windows Server Message Block exploit used in the WannaCry attacks. (Cook described the IOC as the "kernel shellcode loading a child process to the Windows process
spoolsv.exe by default.")
Since Microsoft patched CVE-2019-0708 last May 14, both the National Security Agency and Department of Homeland Security have issued advisories urging Windows users to patch their software. Microsoft even posted a second warning following its initial update, emphasizing the importance of fixing the flaw.
“The integration of a publicly available exploit into a well-known framework, like Metasploit, represents a significant increase in risk to organizations who have not patched their vulnerable systems. The barrier to entry to successful exploitation is now very low," said Dr. Richard Gold, head of security engineering at Digital Shadows. "The Digital Shadows Photon Research team has tested the Metasploit exploit in their lab environment and has successfully exploited an unpatched Windows 7 machine. The exploit not only gives the attacker remote access to a target system, but also gives the attacker the highest level of privilege on the target. Applying the vendor patch from Microsoft did mitigate the attack and Digital Shadows recommends patching any remaining vulnerable machines as soon as possible."
"For months, we've followed the speculation that BlueKeep would become wormable as soon as public exploits became available," said Thomas Hatch, CTO at SaltStack. "Metasploit is the exploit module we feared and the BlueKeep vulnerability is very real. BlueKeep can be exploited remotely and requires no user interaction."
Nevertheless, Hatch said that the exploit's public unveiling is "good for infrastructure security" for two reasons: "First, it increases the urgency to patch the vulnerability, since it is no longer theoretical. Second, the announcement gives defenders and intrusion detection and prevention solutions a chance to release better signatures to detect active exploitation of the vulnerability."
Even before the Metasploit announcement, BlueKeep proof-of-concept code and experimental exploits had reportedly been making their way around the internet. Citing research partner BinaryEdge, Rapid7 has reported that just over 1 million unpatched nodes remain exposed to the BlueKeep vulnerability.
While Rapid7 did observe spikes in daily attacks against RDP following the initial May disclosure of BlueKeep, malicious activity since then has been "much lower than we expected to see by this point in the post-vulnerability release cycle," said Cook. Experts will know soon enough whether this trend reverses, now that a complete exploit is available.