• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Microsoft Patch Tuesday; Critical RDP & Important CryptoAPI Updates

January 14, 2020 By Emil Hozan

If you use modern-day Microsoft software products as a standard end user or a Windows Server administrator and use Remote Desktop Protocol (RDP) in any fashion or use any software programs that utilize CryptoAPI, I strongly recommend you patch right away! The Cybersecurity and Infrastructure Security Agency (CISA) released an alert about three critical RDP patches and an important CryptoAPI patch that Microsoft released. Alert (AA20-014A) provides detail for CVE-2020-0601, the CryptoAPI spoofing vulnerability, and CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611 pertain to RDP – both client and server side. There have not been any identified uses in the wild as of yet.

CVE-2020-0601 is a frightening vulnerability that essentially allows malicious executables to appear as though they’re from a trusted source using a spoofed code-signing certificate. Spoofing attacks should never be taken lightly and to make it that much worse, this variation is completely unnoticeable to the user – at least with email spoofing there are a few ways to verify an email’s legitimacy. Successful attacks could permit man-in-the-middle attacks and decrypting confidential information.

CVE-2020-0609 and CVE-2020-0610 are remote code execution vulnerabilities within Windows Remote Desktop Gateway (RD Gateway) that allow unauthenticated attackers to connect to a system sending specially crafted requests using RDP – there are no user interaction requirements. Successful exploits allow attackers to run arbitrary code, install programs, and even create privileged user accounts.

CVE-2020-0611 affects how client-side RDP connections are handled when connecting to a malicious server. This might not sound like a big deal but when leveraging CryptoAPI spoofing and email spoofing threats, it might not be so obvious anymore. Successful exploits permit attacker-controlled servers to run arbitrary code, install unknown applications, and create privileged user accounts on a connecting user’s computer.

 

Summary and Takeaways

In summary, these four CVEs are a pretty big deal. Though the CryptoAPI spoofing was only marked as Important, that doesn’t prevent its use in a chained attack against a target. This threat greatly increases the capabilities of a man-in-the-middle attack should a threat actor already be in a compromising position. With no way to identify this threat, updating is simply the only option to mitigate it.

As for the other three CVEs, Windows Server administrators should make sure there aren’t any unknown privileged user accounts or recently installed applications on their servers. Further, make sure to apprise your user base of any authentic changes to server names or at the very least to make sure they know not to connect to “any new servers” that may come up from spoofed emails. If you’re an end user, don’t connect to any unknown RDP servers and do your due diligence to verify the integrity of any known servers you may connect to. If you’re a more technical user or simply curious of the technical possibilities, read through this link as a reference point to check against your system and network environment.

Share This:

Related

Filed Under: Editorial Articles Tagged With: Microsoft Patch Day, MS Patch Day, patch tuesday, security patches

Comments

  1. CHRIS says

    January 28, 2020 at 11:03 am

    OK I RECEIVED THIS MEMO but how do we know a pc has been protected? which ms update(s) are needed?

    Reply
    • Emil Hozan says

      February 10, 2020 at 10:04 am

      Hello Chris,

      Thank you for reading and engaging with this post! To answer your questions about applying updates from Microsoft, please see the following.

      CVE-2020-0601 can be addressed with a security update that can be found here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

      This update ensures the CryptoAPI validates ECC certificates.

      CVE-2020-0609 is addressed via an update found here:
      https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609

      The update corrects how RD Gateway handles connection requests.

      CVE-2020-0610’s update can be found hereL:
      https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610

      Updating corrects how RD Gateway handles connection requests.

      CVE-2020-0611 can be updated using this link:
      https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611

      This update corrects how Windows Remote Desktop Clients handle connection requests.

      Thank you again for tuning into Secplicity!

      Regards,
      Emil Hozan

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use