The Rapid7 project Metasploit has finally released an exploit for the BlueKeep flaw disclosed in the May Patch Tuesday update.
The BlueKeep flaw has prompted warnings from Microsoft and all Five Eye spy agencies to install Microsoft’s patches.
Microsoft also provided patches for unsupported versions of Windows, fearing the BlueKeep Remote Desktop Protocol (RDP) bug could be as severe as 2017’s WannaCry ransomware outbreak that impacted 300,000 PCs worldwide using the NSA-built EternalBlue exploit. Both flaws could be used by attackers to create a worm that infects one vulnerable machine after another.
The Australian Signals Directorate (ASD) warned Windows admins in August to “immediately” patch the BlueKeep bug in anticipation of today’s Metasploit release. According to ASD, more than 50,000 devices in Australia were potentially vulnerable in mid-August.
The RDP bug affects Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008 operating systems, but not Windows 10.
After BlueKeep was disclosed Rapid7 detected an spike in malicious RDP scans as attackers probed potentially vulnerable systems.
That Metasploit is an open source project means the BlueKeep exploit module is now accessible by security defenders and attackers. However, Rapid7 contends its release is a “critical” resource for defenders.
“Democratic access to attacker capabilities, including exploits, is critical for defenders—particularly those who rely on open-source tooling to understand and effectively mitigate risk,” wrote Brent Cook, a senior manager at Rapid7.
“One of the drivers in our releasing the exploit code today as a PR on Metasploit Framework is to enlist the help of the global developer and user community to test, verify, and extend reliability across target environments,” he added.
Several security firms reported having working BlueKeep exploits after Microsoft's May patch, however surprisingly hasn't resulted in mass cyber attacks like WannaCry and NotPetya, which collectively cost firms billions of dollars in damage and downtime.
Although the BlueKeep exploit could assist attackers, Cook notes that the exploit doesn’t yet allow for automatic targeting of different systems, so there are still some obstacles to using it for widespread attacks. But that limitation is likely to be overcome in future as improved BlueKeep modules emerge.
In its current state, users of the exploit module need to correctly define the target in order to compromise the system or else the target Windows system will simply crash with a blue screen of death (BSOD).
“Users should also note that some elements of the exploit require knowledge of how Windows kernel memory is laid out, which varies depending on both OS version and the underlying host platform (virtual or physical); the user currently needs to specify this correctly to run the exploit successfully,” explained Cook.
“Server versions of Windows also require a non-default configuration for successful exploitation—namely, changing a registry setting to enable audio sharing. This limitation may be removed in the future.”
BlueKeep isn’t the only threat stemming from RDP vulnerabilities. After conducting an audit in the wake of BlueKeep’s disclosure, Microsoft researchers discovered four more BlueKeep-like flaws -- aka DeJaBlue -- that affected all versions of Windows 10 as well as Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2. And that means it's likely to be a source of new threats in future.
“The protocol’s inherent complexity suggests that the known bugs today will not be the last, particularly since exploit developers and researchers now have a more nuanced understanding of RDP and its weaknesses. Continued exploitation is likely, as is increased exploit sophistication,” noted Cook.
Echoing Microsoft’s advice, Rapid7 encourages all Windows admins that ave RDP in their environment to enable Network Level Authentication and tighten up network access controls to mitigate future RDP vulnerabilities like BlueKeep.