At the end of July I wrote an article about Immunity's working BlueKeep (CVE-2019-0708) exploit, a vulnerability that can wreck havoc on a Windows machine if left un-patched.
An attacker who successfully exploits this vulnerability could execute arbitrary code on the target system, installing programs, viewing, changing or deleting data and have the ability to create new user accounts with full administrative rights.
BlueKeep is considered "wormable" because malware exploiting this vulnerability could propagate across a network.
We said in that article it was an only a matter of time before another exploit was released into the wild. That time, my friends, is now as Rapid7 has publicly released a working BlueKeep exploit via their Metasploit tool.
While a gnarly piece of code, the module doesn't exactly have teeth. It only works in a "manual" mode and needs user interaction to execute. It also only works against 64-bit versions of Windows 7 and Windows 2008 R2.
BlueKeep is confirmed to work against the following OS versions:
- Windows 2000
- Windows Vista
- Windows XP
- Windows 7
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2008
- Windows Server 2008 R2
While many security experts don't find BlueKeep to be much of a threat we don't recommend you sleep on it. Microsoft released a patch in May and you should update your systems accordingly.
There are also steps you can take beyond patching. The CISA recommends you:
- Upgrade end-of life OSs - Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10.
- Disable unnecessary services - Disable services not being used by the OS. This best practice limits exposure to vulnerabilities.
- Enable Network Level Authentication - Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. Doing so forces a session request to be authenticated and effectively mitigates against BlueKeep, as exploit of the vulnerability requires an unauthenticated session.
- Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall -Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network.
However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.
Like our blog? Subscribe using the CTA in the upper right hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.