lolloj - Fotolia
Cybersecurity vendor Immunity Inc. defended its decision to sell a BlueKeep exploit module capable of full remote code execution as part of its penetration testing toolkit.
The infosec community has been watching the progression of BlueKeep over the past two months. The Remote Desktop protocol vulnerability affects older Windows systems and is considered so dangerous that Microsoft twice urged users to patch. The issue even garnered warnings from the National Security Agency and Department of Homeland Security.
Security researchers from McAfee, Zerodium and Kaspersky had developed proof-of-concept BlueKeep exploits before, but none released the code because of fears it would accelerate the production of a weaponized exploit used by malicious actors.
According to an Immunity spokesperson, the vendor's penetration testing toolkit, CANVAS, "provides an exploitation framework and exploits to customers. BlueKeep is part of that product and if you have a valid license you can download updates and access new modules, including BlueKeep."
"This is a known vulnerability. Any reasonably competent exploit writer could write an exploit for it based on publicly available information. The Immunity product, CANVAS, has more than 800 exploits. All of them, including BlueKeep, has a patch," the spokesperson said. "We happen to be the commercial company to include this in our product so companies can test to see if their exposed RDP-enabled systems are actually secure against the vulnerability. Also, our version is not self-propagating (a worm)."
Immunity announced the updated version of CANVAS with the BlueKeep exploit on Twitter Tuesday.
Immunity CEO Dave Aitel told SearchSecurity that his firm decided to release the BlueKeep exploit module because it is "important for organizations to understand their actual risk and determine if their defenses are effectively protecting them."
"Our objective is to help customers solve their risk problems. It's not just about BlueKeep -- there will always be another vulnerability that comes along and puts you at risk. Many modern systems do anomaly detection on network traffic, or endpoint behavioral analysis to catch exploitation of flaws like BlueKeep," Aitel said. "Testing these kinds of systems requires a working RCE exploit. Likewise, simply doing a demo to upper management of 'Here is us hacking our systems' is a common use for red teams as they gather support to replace or upgrade their systems. The end goal should be addressing the entirety of risk rather than focusing on any single exploit."
Jake Williams, founder and president of Rendition Infosec, based in Augusta, Ga., said there are ethical questions surrounding the BlueKeep exploit module.
"A vulnerability scanner doesn't fully demonstrate the risk of an attack. Imagine that a single host in the network is vulnerable to BlueKeep. The scanner tells you that, but does nothing to help evaluate the damage that can be done from that compromise," Williams told SearchSecurity. "Proof-of-concept exploits are released all the time; the only thing that makes this different is the danger BlueKeep poses to the broader internet."
Marcus Hutchins, an independent security researcher known as "MalwareTech," agreed there are ethical concerns but said Aitel's rationale was correct.
"If you need to test exploit mitigations then RCE is useful, as is it useful for proving to management the vulnerability has real-world effects," Hutchins said. "But I do question if it's a good idea to release something that's capable of exploiting over 800,000 systems with zero user interaction."
Aitel said it took Immunity "about two months to develop the RDP library and exploit" and they to release versions of the BlueKeep exploit module as it becomes more stable.
Williams said it would be "trivial for a well-resourced customer to extract the exploit and use it outside the framework," but added that many companies will wait to patch until there is an exploit in the wild.
"I think [Immunity] made the calculation that we've passed the point [where] enough machines are patched that the damage should be mitigated somewhat. Historically they definitely haven't sold broadly to anyone with a credit card. There was some level of vetting that you were a legitimate business," Williams said. "We like to think everyone has great security and Fortune 500 resources, but there are many orgs that only have resources to put out fires. For them, BlueKeep is just dry tinder until the exploit is being actively used in the wild. Then it's a fire and they're ready to act."
Robert Hudock, partner in the data, privacy and security team at King & Spalding LLP, based in York City, who is familiar with Immunity, said there is always a risk with a product like CANVAS being sold to a bad actor.
"When a company like Immunity is selling this product and they're selling something that could be used for nefarious purposes, they need to make sure they are being diligent in vetting their customers appropriately," Hudock told SearchSecurity.
Hudock noted that there have been other instances where companies overseas such as the NSO Group, have sold software to malicious actors who then used the product for criminal activity.
"The concern is if you sold this to a potentially bad actor, or you didn't care whether you sold it to a bad actor or not, you could be charged with a conspiracy to violate the Computer Fraud and Abuse Act," Hudock said. "By you selling the exploit, you are enabling a bad actor to break into an information system that would be covered under the CFAA."
Hudock added that it was a risky proposition not to vet potential customers because if a company were to even unintentionally sell an exploit to someone in China or Russia or Iran, they could be opened up to liability beyond the CFAA. He said there have been cases where computer exploits have been classified as munitions, and sales of an exploit could run afoul of U.S. export laws as well.
When asked about vetting of customers, an Immunity spokesperson said, "There are no limitations to who can buy the pen testing services."