(CVE 2020-0601), (CVE 2020-0609/2020-0610), (CVE 2020-0611)
Source: Trace Bellassai
Several serious security vulnerabilities have been made recently made public which affect Microsoft operating systems. Three vulnerabilities that are of significant concern include; CryptoAPI Spoofing Vulnerability, RD Gateway Vulnerabilities, and Remote Desktop Vulnerabilities. Microsoft has released patches for these vulnerabilities. Installing patches is the most effective mitigation and we strongly encourage anyone affected to apply these patches as soon as possible. If the patch is unable to be applied, we have suggested possible mitigations below.
CryptoAPI Spoofing (CVE 2020-0601)
This is a vulnerability in Microsoft’s implementation of Elliptic Curve Certificate validation in Windows 10 and Windows server 2016/2019. The vulnerability may allow an attacker to use a spoofed certificate in order to bypass cybersecurity defenses based on trust validation. Examples include masquerading as a legitimate secure website (HTTPS), signed files and emails, and signed executable code.
An attacker may be able to gain unauthorized access to systems, impact the operation of those systems, and gather sensitive information that normally travels encrypted, such as passwords.
- Routing internet traffic through a proxy which performs TLS inspection
- Application white listing
- Validate the integrity of all patches and updates using vendor-provided hashes
RD Gateway (CVE 2020-0609/2020-0610)
This is a remote code execution vulnerability in the Windows Remote Desktop Gateway service and affects Microsoft Windows 7 and newer operating systems. Remote code execution allows an attacker to run a malicious program remotely while not physically at the machine. This vulnerability also takes place before the authentication portion of the Windows Remote Desktop Protocol, meaning that an attacker does not need to have valid RDP login credentials to perform this attack.
- Disable RDP Gateway services
- Limit access to RDP Gateway services using a combination of access control lists, firewalls, VPNs or other cybersecurity measures
Remote Desktop Client (CVE 2020-0611)
This is a remote code execution vulnerability in the Windows Remote Desktop Client and affects Microsoft Windows 7 and newer operating systems. Remote code execution allows an attacker to run a malicious program remotely while not physically at the machine. This vulnerability takes place when a user connects to a malicious server using the Windows Remote Desktop Protocol. This vulnerability requires a user to connect to a compromised server.
- Disable RDP to external or untrusted networks
- Limit the use of RDP on external/internal networks using a combination of access control lists, firewalls, VPNs or other cybersecurity measures