Microsoft had a particularly important Patch Tuesday this week. Not only were flaws found in the CryptoAPI library, but arguably more severe flaws were found with the Remote Desktop Client and Gateway that allow for unauthenticated remote code execution. CVE-2020-0609 and CVE-2020-0610 affect Remote Desktop Gateway. Microsoft stated that “A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction.” All supported versions of Windows Server are vulnerable without the released patch. Windows Remote Desktop Client gets its own CVE as well. If an attacker can convince someone to connect to a malicious server through social engineering, man-in-the-middle attacks, compromising a legitimate server, etc., CVE-2020-0611 can also allow for remote code execution.
Analyst Notes
As part of their normal Patch Tuesday, Microsoft released patches for all three vulnerabilities. Details of each can be found at each of the links below. It is highly recommended to have a plan for migration away from unsupported operating systems which generally receive end of life announcements well in advance. Although there have been no publicly released proof of concept exploits, we also recommend performing regular anti-virus scans and keeping anti-virus definitions up-to-date. This should be done on all workstations or servers when possible, regardless of known vulnerabilities. Utilizing an EDR or an MDR (managed detection and response) solution can help organizations spot threats before they spread too far.
Sources:
• https://www.us-cert.gov/ncas/alerts/aa20-014a
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611
