An exploit for the dangerous BlueKeep Windows flaw is now available in the wild. Rapid7 project Metasploit has released the exploit, making it available to anyone, attacker or security researcher alike.
Metasploit says the release is necessary as it serves as a “critical” resource for security researcher looking to defend against BlueKeep.
“Democratic access to attacker capabilities, including exploits, is critical for defenders—particularly those who rely on open-source tooling to understand and effectively mitigate risk,” wrote Brent Cook, a senior manager at Rapid7.
“One of the drivers in our releasing the exploit code today as a PR on Metasploit Framework is to enlist the help of the global developer and user community to test, verify, and extend reliability across target environments.”
BlueKeep is described as a “wormable” bug. It is particularly dangerous because it can be executed by bad actors remotely. The vulnerability occurs in Remote Desktop Services on older Windows legacy builds such as Windows 7, Windows XP, AND Server 2003 and 2008.
“This [bug] would have the potential of a global WannaCry-level event,” said Chris Goettl, director of product management for security at Ivanti, during Patch Tuesday last month. “What’s more, Microsoft has released updates for Windows XP and Server 2003 (which you wouldn’t have found unless you were looking at the Windows Update Catalog). So, this affects Windows 7, Server 2008 R2, XP and Server 2003.”
Since being discovered, security researchers and Microsoft said an exploit of BlueKeep will result in a new wave of WannaCry-like attacks. It is worth noting the flaw has been patched by Microsoft across all Windows versions. However, the company has said many users have ignored the relevant update.
In May, Microsoft said over one million Windows machines were affected by the vulnerability (CVE-2019-0708).
Considering numerous security companies have confirmed they have a working exploit of BlueKeep, it is perhaps surprising a major wave attack based on the flaw has not happened yet. Cook insists there are still some limitations for would be attackers. For example, the vulnerability does not yet allow automatic targeting across systems.
“Users should also note that some elements of the exploit require knowledge of how Windows kernel memory is laid out, which varies depending on both OS version and the underlying host platform (virtual or physical); the user currently needs to specify this correctly to run the exploit successfully,” explained Cook.