Immunity's penetration testing utility now includes an exploit for BlueKeep flaw

Wormable Windows vulnerability Bluekeep can self-propagate from one vulnerable system to another

Cyber security firm Immunity has incorporated an exploit for the BlueKeep vulnerability into its CANVAS penetration testing utility.

The exploit for the BlueKeep flaw is now included in CANVAS v7.23, enabling users to achieve remote code execution on unprotected PCs during penetration tests - in other words, able to open a shell on infected hosts.

"Immunity's CANVAS makes available hundreds of exploits, an automated exploitation system, and a comprehensive, reliable exploit development framework to penetration testers and security professionals worldwide," the company states on its website.

https://twitter.com/Immunityinc/status/1153752470130221057?ref\\_src=twsrc%5Etfw

The BlueKeep flaw, aka CVE-2019-0708, was first uncovered by security researchers in May, with Microsoft rushing out a patch to cover it. According to Microsoft, it is a "wormable" vulnerability that can self-propagate from one vulnerable system to another without requiring user interaction - similar to the way that WannaCry and NotPetya were spread.

It affects Microsoft's proprietary remote desktop protocol (RDP) service in older versions of the Windows, including Windows XP, Windows 7, Windows Vista, Windows Server 2003, and Windows Server 2008.

The latest Windows 10 versions are immune to the BlueKeep vulnerability.

Since the discovery of the flaw, security specialists have been warning that cyber criminals might soon find a way to weaponise BlueKeep and spur another wave of WannaCry-like infections worldwide.

Considering the severity of the flaw, Microsoft also rushed out patches for BlueKeep in May, shortly after its discovery, including for legacy operating systems that are no longer officially supported.

Around one million Windows systems were thought to be vulnerable to BlueKeep at the end of the May. But, in July, a scan carried out by BitSight suggested that the number of vulnerable systems had decreased to around 805,000.

Some cybersecurity firms recently claimed that they had developed fully-working BlueKeep exploits, although they refrained from releasing the proof-of-concept code in public domain in order to avoid its abuse by attackers.

Last month, a security expert demonstrated a working exploit of the BlueKeep vulnerability, which could enable attackers to take full control of a system in just 22 seconds.

Earlier this week, a researcher posted on GitHub what experts described as the most detailed technical documentation on the BlueKeep vulnerability known to date. In the guide, the researcher explained the technique to target Windows-based systems that are still vulnerable to BlueKeep flaw. Some security experts suggested that the guide posted on GitHub had significantly lowered the bar for writing highly destructive BlueKeep exploits, inviting attacks similar to the NotPetya and WannaCry attacks of 2017.

But, they do believe that the new details will still require a great deal of technical skill to author a crash-free exploit that can take advantage of BlueKeep in the wild.

Immunity was founded by ex-NSA hacker Dave Aitel in 2002. The company specialises in creating exploitation development tools, vulnerability assessment tools and remote control technologies. The firm was acquired by Cyxtera Technologies in June 2018.