To prevent the exploitation of critical vulnerabilities, Microsoft has released patches for all supported Windows versions that need immediate attention. Although no report of vulnerabilities exploitation has been received, the threat is serious and it has the potential to be weaponized. Therefore, the Department of Homeland Security (DHS) and the Department of Health and Human Services (HHS) issued emergency directives concerning the vulnerabilities.
Immediate Patching Needed for Windows CryptoAPI Vulnerability
The National Security Agency (NSA) discovered one of the vulnerabilities and reported it to Microsoft. The discovered vulnerability (CVE-2020-0601) impacts Windows 10 and Server 2016/2019 systems. It is associated to the way the Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. A remote attacker could exploit the vulnerability and put malicious code on an ECC certificate so that it looked like it was signed by a trusted company.
The vulnerability may likewise be exploited in a man-in-the-middle attack. Malicious certificates can be given for a hostname that didn’t authorize it and applications and browsers that depend on the Windows CryptoAPI would not give any warnings. A remote attacker that exploits the flaw, could decrypt, change, or inject information on user connections without being noticed.
No cases of vulnerability exploitation have been reported, however, the NSA thinks that soon advanced persistent threat (APT) groups would know the underlying problem and weaponize the vulnerability, therefore the vulnerability was reported to Microsoft.
NSA stated that not patching the vulnerability could result in severe and extensive consequences. It is likely that remote exploitation tools will be widely available soon. Immediate patching is the only mitigation at the moment and must be the main emphasis for all network users.
Critical RCE Vulnerabilities in Windows Remote Desktop
Microsoft issued patches for three pre-authentication vulnerabilities in Windows Remote Desktop. A remote attacker could exploit the two vulnerabilities (CVE-2020-0609 and CVE-2020-0610) and link to servers and execute arbitrary code without the need for user interaction. After exploiting the vulnerabilities, attackers could install programs, access, modify, or erase data, or make new accounts with complete administrator rights. The vulnerabilities can be exploited by presenting a specially designed request to a vulnerable server.
An attacker can similarly exploit the third vulnerability (CVE-2020-0612) and do a denial of service attack that would crash the RDP system.
The vulnerabilities are found in the Windows Remote Desktop Client and RDP Gateway Server and impact all supported versions of Windows and Windows Server.
DHS and OCR’s Emergency Directives
The Department of Homeland Security acknowledged the unacceptable risk of the vulnerabilities to the Federal enterprise. Thus, it released an emergency directive (20-02) addressed to all federal agencies to apply patches on all affected systems in 10 business days and to put technical and/or management controls for new or formerly disconnected endpoints.
Because of the seriousness of the vulnerabilities, the HHS’ Office for Civil Rights issued its own emergency directive to the healthcare and public sector. All entities should apply the patches without delay to avoid vulnerabilities exploitation.