Summary
New vulnerabilities continually emerge, but the best defense against attackers exploiting patched vulnerabilities is simple: keep software up to date. Rapid patching is one of the most effective and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
On January 14, 2020, Microsoft released software patches to address 49 vulnerabilities as part of its monthly Patch Tuesday announcement. Among the vulnerabilities fixed were critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client. An attacker could remotely exploit these vulnerabilities to decrypt, modify or inject data on user connections:
- CryptoAPI Impersonation Vulnerability – CVE-2020-0601: This vulnerability affects all machines running Windows 10 32- or 64-bit operating systems, including Windows Server versions 2016 and 2019. This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, allowing unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could mislead users or thwart malware detection methods such as antiviruses. Additionally, a maliciously crafted certificate could be issued for a hostname that did not allow it, and a browser that relies on the Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.
- Windows RD Gateway and Windows Remote Desktop Client Vulnerabilities – CVE-2020-0609, CVE-2020-0610 and CVE-2020-0611: These vulnerabilities affect Windows Server 2012 and later versions. Additionally, CVE-2020-0611 affects Windows 7 and later. These vulnerabilities, in the Windows Remote Desktop Client and RD Gateway Server, allow remote code execution, where arbitrary code could be executed freely. Server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.
The Cybersecurity and Infrastructure Security Agency (CISA) is not aware of any active exploitation of these vulnerabilities. However, because the patches have been publicly released, the underlying vulnerabilities can be reverse engineered to create exploits targeting unpatched systems.
CISA strongly recommends that organizations install these critical patches as soon as possible: Prioritize patches starting with critical systems, Internet-connected systems, and networked servers. Organizations should then prioritize patching other affected information technology/operational technology (IT/OT) assets.
Technical details
CryptoAPI Impersonation Vulnerability – CVE-2020-0601
A spoofing vulnerability exists in the way that Windows CryptoAPI (Crypt32.dll) validates ECC certificates.
According to Microsoft, “an attacker could exploit this vulnerability by using a forged code signing certificate to sign a malicious executable, making it appear as if the file came from a legitimate, trusted source. The user would have no way of knowing that the file was malicious because the digital signature would appear to come from a trusted provider.” Additionally, “a successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information about users’ connections to the software.” concerned”.[1]
A cyber attacker could exploit CVE-2020-0601 to obtain sensitive information, such as financial information, or execute malware on a targeted system; For example:
- A maliciously crafted certificate could appear to have been issued to a hostname that did not authorize it, Prevent a browser that relies on Windows CryptoAPI from validating its authenticity and issuing warnings. If the certificate impersonates a user’s bank website, their financial information could be exposed.
- Signed malware can bypass protections (for example, antiviruses) that only run applications with valid signatures. Malicious files, emails, and executables may appear legitimate to unpatched users.
The Microsoft security advisory for CVE-2020-0601 addresses this vulnerability by ensuring that Windows CryptoAPI fully validates ECC certificates.
Detection measures
The National Security Agency (NSA) provides detection measures for CVE-2020-0601 in its Cybersecurity Advisory: Fix a critical cryptographic vulnerability in Microsoft Windows clients and servers.[2]
Windows RD Gateway Vulnerabilities – CVE-2020-0609/CVE-2020-0610
According to Microsoft, “A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction.”[3],[4]
CVE-2020-0609/CVE-2020-0610:
- Affects all supported versions of Windows Server (Server 2012 and later; support for Server 2008 ends January 14, 2020);
- Occurs before authentication; And
- Requires no user interaction to run.
Microsoft security advisories for CVE-2020-0609 And CVE-2020-0610 address these vulnerabilities.
Windows Remote Desktop Client Vulnerability – CVE-2020-0611
According to Microsoft, “A remote code execution vulnerability exists in the Windows Remote Desktop client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the connecting client’s computer.”[5]
CVE-2020-0611 forces the user to connect to a malicious server via social engineering, domain name server (DNS) poisoning, man-in-the-middle attack, or by the attacker compromising a legitimate server.
The Microsoft security advisory for CVE-2020-0611 fixes this vulnerability.
Impact
A successful network intrusion can have serious consequences, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:
- Temporary or permanent loss of sensitive or proprietary information,
- Disruption of regular operations,
- Financial losses related to restoring systems and files, and
- Potential damage to an organization’s reputation.
Mitigations
CISA strongly recommends that organizations read the Microsoft January 2020 Release Notes page For more information and apply critical patches as soon as possible: Prioritize patches starting with critical systems, Internet-connected systems, and networked servers. Organizations should then prioritize patching other affected IT/OT assets.
General advice
- Enterprise Patch Management Technology Review Guide, NIST Special Publication 800-40 Revision 3. Patch management is the process of identifying, acquiring, installing, and verifying patches for products and systems. This publication is designed to help organizations understand the basics of enterprise patch management technologies. It explains the importance of patch management and examines the challenges inherent in patch management. It provides an overview of enterprise patch management technologies and also briefly discusses metrics for measuring the effectiveness of the technologies.
- View CISA Insights publications. Informed by U.S. cyber intelligence and real-world events, each CISA Insight provides background information on particular cyber threats and the vulnerabilities they exploit, as well as a set of ready-to-use mitigation activities that non-federal partners can implement. Printable materials can be found by visiting:
- Check out CISA’s Cyber Essentials. CISA’s Cyber Essentials is a guide for small business leaders as well as leaders of small local government agencies to develop a practical understanding of where to begin implementing organizational cybersecurity practices. The essentials are the starting point for cyber preparedness. To download the guide, visit:
References
Revisions
January 14, 2020: initial release|January 14, 2020: minor technical changes
