- BlueKeep is a wormable security flaw in Microsoft Remote Desktop Services that allows attackers to take control remotely of vulnerable systems.
- Metasploit developers released the first functional prototype of exploit code with payload execution capabilities.
- Bitdefender tested the newly released exploit code and Hypervisor Introspection prevents this attack (demo included).
Last Friday, security researchers working on the Metasploit project released the first functional exploit code to successfully achieve code execution against systems vulnerable to BlueKeep. This high impact vulnerability affecting Microsoft Remote Desktop Services was first reported as CVE-2019-0708 in May 2019. On May 14th, Microsoft started releasing patches for affected Windows OSes (including the end of life XP and 2003)
The exploit is not yet 100% reliable at remote code execution. Target systems may encounter a BSOD during the payload execution. However, it is reliable enough to confirm that Bitdefender Hypervisor Introspection (HVI) kernel protections introduced in 2017 effectively defeated BlueKeep. At that time, the vulnerability and exploit were not publicly known and would have been prevented as a 0-day.
Why is BlueKeep so dangerous?
BlueKeep is one of those high severity security flaws that are considered wormable. These vulnerabilities are usually bugs in widely used operating system services that are commonly exposed to the outside world by system administrators and allowed by security teams. Threat actors like to leverage vulnerabilities found in widely exposed services to maximize and automate the lateral movement step of the attack they are building. To make matters worse, successful attacks are granted full control of the system since the exploited RDP component is a Windows kernel driver.
There have been several high-profile wormified attacks in recent years. WannaCry is a fairly recent high-profile worm attack that leverages the EternalBlue vulnerability to spread ransomware. Months before WannaCry hit, we wrote about how Bitdefender Hypervisor Introspection defeated the EternalBlue exploit.
How Is Hypervisor Introspection preventing the exploit?
Bitdefender Hypervisor Introspection (HVI) is a state-of-the-art anti-exploit technology that leverages Virtual Machine Introspection APIs built into modern hypervisors to monitor the entire memory footprint of the running VMs. This allows the technology to focus on identifying attack techniques at runtime in memory, rather than searching for previously encountered behaviors (signatures, heuristics, ML etc.). Hypervisor Introspection does not require prior knowledge of the vulnerability or where it is, and it does not require prior knowledge of the exploit code.
Kernel exploits like BlueKeep (and EternalBlue) require careful actions in order to gain access to the operating system APIs. When the initial code execution is obtained, the exploit cannot do much without calling OS functions, since it is running in an arbitrary context that will deadlock or crash the system. In order to „migrate” to a known context, the malicious code will try to intercept the OS SYSCALL handler. Hypervisor Introspection is monitoring the OS kernel structures, including CPU Model Specific Registers values, preventing malicious changes. By doing so, Hypervisor Introspection provides generic protections against entire classes of attacks that rely on the same exploitation technique.
Hypervisor Introspection is available today for Citrix Hypervisor environments, and as part of a Tech Preview program for organizations running the KVM hypervisor.
With publicly available exploit code, the chances of weaponized malware being developed are drastically increased. At the time this blog post was published, the Shodan Internet Exposure Observatory is reporting more than 300,000 Internet facing systems are exposing unpatched RDP services that are vulnerable to BlueKeep. While Bitdefender Hypervisor Introspection customers are already protected, everyone must consider the available mitigations and act now:
- Use your patch management solution to apply the latest available patches.
- Configure Remote Desktop Service with Network Level Authentication
- Don’t expose RDP to the outside world unless the system is patched.