What is BlueKeep?
Since it's disclosure on May 14th it's been hard to escape news coverage of the omnipresent omnishambles that is BlueKeep. Of course, this is understandable; because a critical vulnerability in Window’s Remote Desktop Protocol that affects Windows 2000 through 7/2008 R2 is no laughing matter. Particularly when you consider that if successfully exploited it results in a remote code execution with Window’s highest possible level of privilege:
NT_AUTHORITY/SYSTEM - which surpasses even ‘Administrator’.
What's the latest on the BlueKeep threat?
However, beyond the obvious dangers there’s another reason BlueKeep’s been on everyone’s mind. That’s the worrying degree of public exposure Remote Desktop Services are subject to, with over 1,000,000 internet-facing devices enumerated last month. Granted, that number has since fallen by 200,000, however, the vast number of affected hosts remaining present on the internet is still dangerously high.
And when you combine this 800,000-number with the inherently ‘wormable’ nature of BlueKeep, it’s easy to see why the NSA, NCSC and Microsoft have all sounded the alarm, issuing stark emergency advisory warnings and instructing people to immediately apply Bluekeep Patches to all hosts they’re responsible for.
They even went so far as to raise the spectre of a potential repeat of WannaCry/NotPetya the devastating ransomware campaign which shook the world in 2017, taking down thousands of networks - including the NHS's.
BlueKeep exploits exist and are evolving fast
Of course everyone knew that someone, somewhere had already developed an exploit but these were thought to be in the hands of organizations with little motivation for indiscriminate ransomware attacks via a worm. So, with no exploit code circulating publically, some chose to ignore the rising alarm bells.
Inevitably, they could be ignored no longer when last Tuesday steps to create a working exploit were published on GitHub. Since their publication, a public proof-of-concept exploit has been created, however, it currently only works on Windows XP. On Wednesday the security company Immunity (who maintain the CANVAS exploit framework) released a fully functional BlueKeep exploit, thankfully, it is located behind a significant pay wall. By Friday a working PoC exploit was submitted to the Metasploit Framework, pending Rapid7’s review.