Off With A Bang: Microsoft’s First Patch Tuesday of 2020 is a Doozy
Starting 2020 off with a bang, Microsoft has released patches rectifying issues with Window’s CryptoAPI and Remote Desktop Gateway. Both of these services serve critical roles in a Windows infrastructure. CryptoAPI is essential to the function of TLS communications and Authenticode signing is used to verify the publisher of software or a driver. Much scarier is CVE-2020-0609 which allows unauthenticated users to remotely execute code. Because Remote Desktop Gateway is frequently a outward facing service this is a particularly frightening bug and it requires every administrators immediate attention.
CVE-2020-0601: Hiding in Plain Sight
The first implication of the flawed CryptoAPI implementation is that an attacker may be able to conduct a man-in-the-middle attack without the target having any knowledge. Normally as part of the TLS communication process both parties validate the TLS certificate chain the other party sent. By verifying the certificate chain using a trusted certificate of authority the identity of all parties communicating are verified and secured from curious third parties.
Using the vulnerability described in CVE-2020-0601 attackers may be able to impersonate other systems and users allowing an attacker to either intercept or modify traffic being sent between parties. Because so many products use the CryptoAPI to secure and verify communication, this vulnerability has quite a large impact on the larger internet community.
This is the Executable You Are Looking For
The second function of the CryptoAPI function in Windows is verifying the author of a particular executable is who they claim to be using Authenticode Digital Signatures. CVE-2020-0601 allows attackers to craft an executable that appear to be from a legitimate software manufacture. Abusing these functions could allow attackers to update mission critical software with vulnerabilities or to enable malicious drivers to be installed that provide system level access to an attacker. As shown in the image below, when a executable is opened that requires administrative access, by default the UAC will ask the user for permission to start the application and to show the publisher of the application.
Without the patches provided by Microsoft on 1/14/2020 it may be possible for an attacker to spoof legitimate software with malicious copies or updates. Attackers could also use this attack to bypass Application Whitelisting, a critical feature in administrators security tool set.
CVE-2020-0609: Nightmares Come True
One of the most common recommendations given is “Don’t expose RDP to the internet.” For many companies Microsoft’s Remote Desktop Gateway allows users the convenience of RDP with extra security provided by wrapping the RDP protocol in SSL instead of exposing it directly to the internet. Microsoft is now reporting that “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” all of this without authenticating or user interaction making it particularly dangerous.
Securing Your Infrastructure
Thankfully both of these issues are well documented and as of the time of this writing updates are available for Windows 10, Server 2016, Server 2019, and Server Core 1803/1903/1909. Due to the how critical this patch is, it is important the organizations take priority in applying this patch along with others released during the monthly patch Tuesday. VDA would love to help your organization engineer, or test the security of their staff with this and other advanced techniques, contact us about security engineering or security testing today.