If you use modern-day Microsoft software products as a standard end user or a Windows Server administrator and use Remote Desktop Protocol (RDP) in any fashion or use any software programs that utilize CryptoAPI, I strongly recommend you patch right away! The Cybersecurity and Infrastructure Security Agency (CISA) released an alert about three critical RDP patches and an important CryptoAPI patch that Microsoft released. Alert (AA20-014A) provides detail for CVE-2020-0601, the CryptoAPI spoofing vulnerability, and CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611 pertain to RDP – both client and server side. There have not been any identified uses in the wild as of yet.
CVE-2020-0601 is a frightening vulnerability that essentially allows malicious executables to appear as though they’re from a trusted source using a spoofed code-signing certificate. Spoofing attacks should never be taken lightly and to make it that much worse, this variation is completely unnoticeable to the user – at least with email spoofing there are a few ways to verify an email’s legitimacy. Successful attacks could permit man-in-the-middle attacks and decrypting confidential information.
CVE-2020-0609 and CVE-2020-0610 are remote code execution vulnerabilities within Windows Remote Desktop Gateway (RD Gateway) that allow unauthenticated attackers to connect to a system sending specially crafted requests using RDP – there are no user interaction requirements. Successful exploits allow attackers to run arbitrary code, install programs, and even create privileged user accounts.
CVE-2020-0611 affects how client-side RDP connections are handled when connecting to a malicious server. This might not sound like a big deal but when leveraging CryptoAPI spoofing and email spoofing threats, it might not be so obvious anymore. Successful exploits permit attacker-controlled servers to run arbitrary code, install unknown applications, and create privileged user accounts on a connecting user’s computer.
Summary and Takeaways
In summary, these four CVEs are a pretty big deal. Though the CryptoAPI spoofing was only marked as Important, that doesn’t prevent its use in a chained attack against a target. This threat greatly increases the capabilities of a man-in-the-middle attack should a threat actor already be in a compromising position. With no way to identify this threat, updating is simply the only option to mitigate it.
As for the other three CVEs, Windows Server administrators should make sure there aren’t any unknown privileged user accounts or recently installed applications on their servers. Further, make sure to apprise your user base of any authentic changes to server names or at the very least to make sure they know not to connect to “any new servers” that may come up from spoofed emails. If you’re an end user, don’t connect to any unknown RDP servers and do your due diligence to verify the integrity of any known servers you may connect to. If you’re a more technical user or simply curious of the technical possibilities, read through this link as a reference point to check against your system and network environment.