BlueKeep Exploit Publicly Released by Rapid7


September 9, 2019
Security7-Blog Image

At the end of July I wrote an article about Immunity’s working BlueKeep (CVE-2019-0708) exploit, a vulnerability that can wreck havoc on a Windows machine if left un-patched.

An attacker who successfully exploits this vulnerability could execute arbitrary code on the target system, installing programs, viewing, changing or deleting data and have the ability to create new user accounts with full administrative rights.

BlueKeep is considered “wormable” because malware exploiting this vulnerability could propagate across a network.

We said in that article it was an only a matter of time before another exploit was released into the wild. That time, my friends, is now as Rapid7 has publicly released a working BlueKeep exploit via their Metasploit tool.

While a gnarly piece of code, the module doesn’t exactly have teeth. It only works in a “manual” mode and needs user interaction to execute. It also only works against 64-bit versions of Windows 7 and Windows 2008 R2.

BlueKeep is confirmed to work against the following OS versions:

  • Windows 2000
  • Windows Vista
  • Windows XP
  • Windows 7
  • Windows Server 2003
  • Windows Server 2003 R2
  • Windows Server 2008
  • Windows Server 2008 R2

While many security experts don’t find BlueKeep to be much of a threat we don’t recommend you sleep on it. Microsoft released a patch in May and you should update your systems accordingly.

There are also steps you can take beyond patching. The CISA recommends you:

  • Upgrade end-of life OSs – Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10.
  • Disable unnecessary services – Disable services not being used by the OS. This best practice limits exposure to vulnerabilities.
  • Enable Network Level Authentication – Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. Doing so forces a session request to be authenticated and effectively mitigates against BlueKeep, as exploit of the vulnerability requires an unauthenticated session.
  • Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall –Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network.

    However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.

Like our blog? Subscribe using the CTA in the upper right hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.

Don’t forget to follow us on LinkedIn and Twitter

Carl Keyser is the Content Manager at Integris.

Keep reading

Bridging the Gap between Automation and Innovation

Bridging the Gap between Automation and Innovation

Automation and Innovation. Some people might say those two words cancel each other out. Yet, I believe these two concepts can create capacity for each other—if your business leverages the free time automation creates to foster innovation. Automation can be...

Why Is My Laptop Draining So Fast?

Why Is My Laptop Draining So Fast?

Before You Replace Your Laptop Battery, Try These Fixes First Stuck with a laptop that’s running out way before it’s standard 8-10 hours of run time? Don't throw it out just yet.  Try these quick fixes to extend its life: Reduce your screen brightness If possible,...