Metasploit releases BlueKeep exploit code (CVE-2019-0708)

 In Security Alerts

SYSTEMS AFFECTED

  • Windows 2003
  • Windows XP
  • Windows 7
  • Windows 2008

THREAT LEVEL

  • High

OVERVIEW

BlueKeep is a exploit that was patched back i July 2019. The security flaw, discovered in Windows Remote Desktop Protocol (RDP), enables unauthenticated attackers to run code remotely, to launch denial of service attacks, and, in some cases, to take full control of unpatched systems. Metasploit is a widely known penetration testing toolkit. They have now released exploit code to the public for the vulnerability. If you haven’t patched for it, now is certainly the time.

DESCRIPTION

What is BlueKeep?
BlueKeep is a exploit that was first discovered by the UK National Cyber Security Center on 14 may 2019. The vulnerable code existed in Microsoft Operating systems ranging from Windows 2000 to Windows 7. It exploits the RDP service and allows the attacker to run code directly on the system. The vulnerability was patched on the 14th may 2019 by Microsoft. Previously it has not been reported that a exploit was in the public domain. It has however been reported at exploit code has been commercially available.

What is Metasploit?
Metasploit is a Pentesting toolkit that was first released back in 2003. The framework is used to actively test vulnerabilities of the target systems and it exists in a Open Source version and a commercial version. The Opensouce version is installed as default in Kali Pentesting Toolkit. The widely popular, because it easy to use for everyone.

The basic steps for exploiting a system using the Framework include:

  1. Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 900 different exploits for Windows, Unix/Linux and Mac OS X systems are included);
  2. Optionally checking whether the intended target system is susceptible to the chosen exploit;
  3. Choosing and configuring a payload (code that will be executed on the target system upon successful entry; for instance, a remote shell or a VNC server);
  4. Choosing the encoding technique so that hexadecimal opcodes known as “bad characters” are removed from the payload, these characters will cause the exploit to fail.
  5. Executing the exploit.

All the steps can be done via CLI or a GUI.

Why is this so dangerous now?
Before 31. July, security researchers haven’t seen this exploit being used in the wild. There have however been some rumors of commercial available exploit code for sale. On the 6. of September, Metasploit released a public free version of the exploit. This now means that anyone can use the exploit to gain access to the vulnerable systems. It is still being reported that 1/5 of all servers that are on line are still vulnerable to the exploit. We urge all our customers and partners to keep their servers updated, especially the public facing servers.

 

SOLUTION

  • Apply latest patches for the vulnerability.

 

REFERENCE

  1. https://searchsecurity.techtarget.com/definition/BlueKeep-CVE-2019-0708
  2. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

DISCLAIMER

The information provided herein is on “as is” basis, without warranty of any kind.

Recent Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt