Critical Vulnerabilities in Microsoft Windows Operating Systems

Overview

On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities, there were two critically impacted software components of particular concern, the Windows CryptoAPI and Windows Remote Desktop Protocol (RDP) server and client.

CryptoAPI spoofing vulnerability: Allows an attacker to create spoofed certificates, allowing an attacker to create a spoofed certificate that masquerades as a legitimate certificate authority. This could allow an attacker to bypass traditional protection methods such as antivirus or application whitelisting. Additionally, a crafted certificate could allow an attacker to man-in-the-middle HTTPS connections.

Multiple Windows RDP vulnerabilities: These vulnerabilities in the Windows Remote Desktop client and RDP Gateway Server allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.

Threat Intelligence

The Masergy Threat Intelligence team is currently not aware of any proof-of-concepts being publicly available or active exploitation in-the-wild. We assess that it is likely sophisticated actors will pursue the weaponization of these exploits. The Masergy Threat Intelligence team will continue to monitor the situation as it develops.

Vulnerabilities

Systems Affected

Technical Summary

CVE-2020-0601: Microsoft Windows CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography (ECC), which is provided by Crypt32.dll. This can allow an attacker to craft a certificate that appears to have the ability to be traced to a trusted root certificate authority, allowing the attacker to defeat trusted network connections and deliver executable code while appearing as trusted entities. This affects both Windows operating systems as well as applications that rely on Windows for trust functionality.

CVE-2020-0609 | CVE-2020-0610: Microsoft Windows Remote Desktop Gateway is a WIndows Server Component that provides access to Remote Desktop services without requiring the client system to be present on the same network as the target system. By sending a specially-crafted request to a Remote Desktop Gateway server, an unauthenticated remote attacker can execute arbitrary code with SYSTEM privileges.

CVE-2020-0611: A vulnerability inside the Windows Remote Desktop Client allows an attacker to execute remote code when a user connects to a malicious server. This vulnerability requires the user to connect to a malicious server via social engineering, DNS poisoning, a man-in-the-middle attack, or by the attacker compromising a legitimate server.

Recommendations:

We recommend the following actions be taken:  

Patches:

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jan

References:

Microsoft:

https://msrc-blog.microsoft.com/2020/01/14/january-2020-security-updates-cve-2020-0601/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611

US-CERT:

https://www.us-cert.gov/ncas/alerts/aa20-014a

NSA:

https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF