BlueKeep - CVE-2019-0708

An exploit leverages a weakness in the system that can be used by the attacker to breach the security of a system and can lead to the compromise of confidentiality, integrity and availability of that system.

A system can be exploitable due to a vulnerable software or underlying OS functionality, which does not necessarily mean exploit code needs to be developed to exploit the system. For example, a manipulation of SETUID file permissions in a linux system allows an attacker to fool a user to run a binary of his choice by placing the file with such permissions in the users PATH. Another example can be a user who temporarily gains root access and applies setuid bit to an OS executable like "nano", can execute the same executable with root permissions even when the user is not logged in as root. This can happen when an Admin allows a temporary or sudo access to another user and if the use has malicious intent can easily make this change. This is a serious exploit and often will require the system to be reinstalled.

Following is an example of setuid manipulation:

Another example of an exploit that is not only dangerous but also violates some basics ethics of cybersecurity is a recently discovered vulnerability in MS OS published as CVE-2019-0708 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0708) in May 2019. Apparently proof of concept for an exploit has been published by several researchers on GitHub. Here are some of the links:

https://github.com/zerosum0x0/CVE-2019-0708, (Included in Metasploit)

https://github.com/Leoid/CVE-2019-0708/blob/master/0708.py

https://github.com/umarfarook882/CVE-2019-0708/blob/master/cve_2019_0708_bluekeep.py

https://github.com/CVE-2019-0708/CVE-2019-0708/blob/master/PoC.py

https://github.com/robertdavidgraham/rdpscan

There are two aspects of the exploit that need a closer look. First, the wide availability of POC exploit does not necessarily mean that you can exploit the vulnerability. I ran the metasploit code against a windows 2008 R2 system in my lab and metasploit reported the system as vulnerable. However, there is not much I could do besides knowing the system is vulnerable unless I develop the payload that will exploit the vulnerability. See screenshot from my lab below:

However, there are some discussions on the darknet that the exploit code with the payload has been sold for approximately $500,000 (https://habr.com/en/company/jetinfosystems/blog/451852/). CVE was published on May 21st, 2019 and seems the exploit code was being sold since September of last year. This also constitutes of a zero-day exploit. It's imperative to understand, if the exploit code has been available since last year, there is no way a Vulnerability scan or a security tester would discover this vulnerability during their testing unless specifically assigned by an organization to research the RDP protocol on MS Windows Operating systems. Even then, there is no guarantee the tester can even get close to finding the weakness.

The second issue revolves around the basic cybersecurity ethics. When security researchers publish POC for the exploits, the code is usually made available to the entire world via some sort of code repository. I noticed one of the PoC published on the Github leverages Shodan, a search engine for internet connected devices. Although the tool is meant to provide information about the connected devices, identifying vulnerable hosts on the internet, tracking ransomware, etc, the tool can be used in a detrimental way. See the code snippet from one of the POC's published on Github:

Leveraging Shodan, the exploit can be spread fast if a wormable payload is developed, like was the case with Wannacry. WatchBog a cryptocurrency botnet, which deploys crypto miners on the infected systems is weaponized with exploits for Jenkins (CVE-2018-1000861), Nexus Repository Manager 3(CVE-2019-72), Apache Solr(CVE-2019-0192), Exim (CVE-2019-10149), Atlassian Jira Server and Data Center(CVE-2019-11581) and recently a scanner module has been added for the Bluekeep vulnerability. It is only a matter of time, an exploit with payload is developed.

BlueKeep is a pre-authentication vulnerability and does not require user interaction, which makes the vulnerability wormable like WannaCry. WannaCry affected over 300,000 systems and the damages are estimated to range in billions of dollars (https://en.wikipedia.org/wiki/WannaCry_ransomware_attack). Once the payload is made available for Bluekeep, the vulnerability can cause far greater damage than wannacry. As per one researcher, there were close to 950,000 systems vulnerable to the vulnerability in May of 2019 (https://blog.erratasec.com/2019/05/almost-one-million-vulnerable-to.html#.XTypmZNKhTY

MS has published a patch for this vulnerability and can be found here - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708