BlueKeep Exploit Publicly Released by Rapid7

by

September 9, 2019
Security7-Blog Image

At the end of July I wrote an article about Immunity’s working BlueKeep (CVE-2019-0708) exploit, a vulnerability that can wreck havoc on a Windows machine if left un-patched.

An attacker who successfully exploits this vulnerability could execute arbitrary code on the target system, installing programs, viewing, changing or deleting data and have the ability to create new user accounts with full administrative rights.

BlueKeep is considered “wormable” because malware exploiting this vulnerability could propagate across a network.

We said in that article it was an only a matter of time before another exploit was released into the wild. That time, my friends, is now as Rapid7 has publicly released a working BlueKeep exploit via their Metasploit tool.

While a gnarly piece of code, the module doesn’t exactly have teeth. It only works in a “manual” mode and needs user interaction to execute. It also only works against 64-bit versions of Windows 7 and Windows 2008 R2.

BlueKeep is confirmed to work against the following OS versions:

  • Windows 2000
  • Windows Vista
  • Windows XP
  • Windows 7
  • Windows Server 2003
  • Windows Server 2003 R2
  • Windows Server 2008
  • Windows Server 2008 R2

While many security experts don’t find BlueKeep to be much of a threat we don’t recommend you sleep on it. Microsoft released a patch in May and you should update your systems accordingly.

There are also steps you can take beyond patching. The CISA recommends you:

  • Upgrade end-of life OSs – Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10.
  • Disable unnecessary services – Disable services not being used by the OS. This best practice limits exposure to vulnerabilities.
  • Enable Network Level Authentication – Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. Doing so forces a session request to be authenticated and effectively mitigates against BlueKeep, as exploit of the vulnerability requires an unauthenticated session.
  • Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall –Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network.

    However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.

Like our blog? Subscribe using the CTA in the upper right hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.

Don’t forget to follow us on LinkedIn and Twitter

Carl Keyser is the Content Manager at Integris.

Keep reading

Strong Cybersecurity Postures: How to Unleash their Power

Strong Cybersecurity Postures: How to Unleash their Power

In the vast digital landscape where virtual dragons and sneaky trolls roam a strong cybersecurity posture has never been more important. Imagine a band of modern-day knights led by our protagonist, Alex. Armed with a trusty laptop and a cup of coffee, Alex navigates...

How to Spot a Phishing Attack in 2023

How to Spot a Phishing Attack in 2023

In 2023 cyber threats lurk behind every tree trunk in today's digital jungle, and cybersecurity awareness is more critical than ever. Among the craftiest of these threats are phishing attacks. Phishing attacks are cunningly engineered with social manipulation at their...