Maksim Kabakou - Fotolia

NSA issues BlueKeep warning as new PoC exploit demos

The NSA issued a rare warning for users to patch against the BlueKeep vulnerability on the same day a security researcher demoed an exploit leading to a full system takeover.

The National Security Agency issued an alert warning the public about the potential threat of the BlueKeep vulnerability on the same day as a full system exploit was demoed.

The NSA warning comes just over three weeks after Microsoft patched both supported and unsupported Windows systems against BlueKeep, which affects the Remote Desktop Protocol. Microsoft had issued two of its own alerts urging customers to patch, but the NSA noted "potentially millions of systems are still vulnerable." The alert itself drew attention because it is more common for the Department of Homeland Security to issue cybersecurity warnings than the NSA.

The NSA referenced "growing threats" and noted that BlueKeep "is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability."

"For example, the vulnerability could be exploited to conduct denial-of-service attacks. It is likely only a matter of time before remote exploitation code is widely available for this vulnerability," NSA wrote in the advisory. "NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems. NSA urges everyone to invest the time and resources to know your network and run supported operating systems with the latest patches."

Although there were no specifics given, NSA added that it has "seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw." A wormable exploit similar to BlueKeep, called EternalBlue, was stolen from the NSA and enabled ransomware attacks like WannaCry and NotPetya to spread to new systems.

The advisory offered the same mitigation methods suggested to combat other potential BlueKeep exploits, including blocking port 3389, disabling remote desktop services if possible and enabling Network Level Authentication (NLA).

However, the author of a new BlueKeep exploit demoed the same day as the NSA alert -- Twitter user "zerosum0x0" -- noted that NLA is only a partial mitigation. Kevin Beaumont, a security researcher based in the U.K. who named BlueKeep, confirmed that if an attacker has account credentials, they can bypass NLA.

BlueKeep exploits have been demoed by various researchers both on Twitter and from research firms such as McAfee, Zerodium and Kaspersky, but so far the demos have been for denial-of-service attacks and limited remote code execution. Zerosum0x0 wrote on Twitter that the exploit chain he's been working on is specific to Windows XP "but confirm the RCE threat is real."

A worm is coming in weeks at the most, not months.
Jake WilliamsFounder and CEO, Rendition Infosec

While zerosum0x0 showed a video of his BlueKeep exploit gaining full system access, he said it was "still too dangerous to release." Multiple infosec professionals, including Beaumont, praised zerosum0x0 for the work and for delaying the release of any actual code.

Jake Williams, founder and CEO of Rendition Infosec in Augusta, Ga., told SearchSecurity he was surprised there hasn't been a public exploit yet and predicted "a worm is coming in weeks at the most, not months."

"This exploit is an odd one in that it can be easily reverse engineered from the patch to create a trigger that exercises the vulnerability (but does not yet gain code execution). Most vulnerabilities require more work than this to generate a trigger file," Williams wrote via Twitter direct message. "The [proof of concept] for BlueKeep appears to be very real. The source of the demo is reliable and has the knowledge to create one. I know of at least one nonpublic PoC as well, so a publicly available weaponized exploit is definitely around the corner."

Marcus "MalwareTech" Hutchins told SearchSecurity there was nothing inherently special about the latest exploit, because there have been RCE demos "for weeks now," and "RCE is at kernel level [where] by default you have the highest privileges possible."

Williams agreed, but added that "the video plus the discussion of it being put in metasploit" could make businesses consider "pulling the trigger on a Windows outage to patch."

"The reality is that some people aren't going to patch until there's an active exploit in the wild," Williams said. "There's another subset that will continue to do business as usual (60- to 90-day patch window) unless they assess that an exploit is imminent. For those folks who want to stand on the train tracks and play chicken with the train, I think this video PoC might be the thing that tips the balance."

Dig Deeper on Threats and vulnerabilities