This post was originally published on January 14, 2020
The latest update to this post was made 5 years ago.
Critical Vulnerabilities in Microsoft Windows Operating Systems (January 2020)
Summary:
On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI and Windows Remote Desktop Protocol (RDP) server and client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections:
- CryptoAPI spoofing vulnerability – CVE-2020-0601: This vulnerability affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019. This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.
- Multiple Windows RDP vulnerabilities – CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611: These vulnerabilities affect Windows Server 2012 and newer. In addition, CVE-2020-0611 affects Windows 7 and newer. These vulnerabilities—in the Windows Remote Desktop client and RDP Gateway Server—allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.
It is strongly recommended that both organizations and end users install these critical patches as soon as possible. Organizations can deploy these updates via WSUS, SCCM or other patch management system. End users should use:
- (Windows 7/8 & Server 2008+) – Windows Update from the control panel
- (Windows 10 & Server 2016+) – Update & Security area on Windows 10 (Click START -> SETTINGS WHEEL -> UPDATE & SECURITY)
Applies To:
- Workstation O/S : Windows 7, Windows 8, Windows 8.1, Windows 10
Server O/S : Server 2008R2, Server 2012, Server 2012R2, Server 2016, Server 2019
Technical Details:
CryptoAPI Spoofing Vulnerability – CVE-2020-0601
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates ECC certificates. According to Microsoft, “an attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.” Additionally, “a successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”
A cyber attacker could exploit CVE-2020-0601 to obtain sensitive information, such as financial information, or run malware on a targeted system; for example:
-
- A maliciously crafted certificate could appear to be issued for a hostname that did not authorize it, preventing a browser that relies on Windows CryptoAPI from validating its authenticity and issuing warnings. If the certificate impersonates a user’s bank website, their financial information could be exposed.
Signed malware can bypass protections (e.g., antivirus) that only run applications with valid signatures. Malicious files, emails, and executables can appear legitimate to unpatched users. The Microsoft Security Advisory for CVE-2020-0601 addresses this vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
MICROSOFT KB ARTICLE INFORMATION FOR CVE-2020-0601:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
Windows Remote Desktop Server Vulnerabilities – CVE-2020-0609/CVE-2020-0610
According to Microsoft, “A remote code execution vulnerability exists in in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction.”
CVE-2020-0609/CVE-2020-0610 specifics:
-
- Affects all supported Windows Server versions (Server 2012 and newer; support for Server 2008 ends January 14, 2020);
Occurs pre-authentication; and Requires no user interaction to perform.
- Affects all supported Windows Server versions (Server 2012 and newer; support for Server 2008 ends January 14, 2020);
The Microsoft Security Advisories for CVE-2020-0609 and CVE-2020-0610 address these vulnerabilities.
MICROSOFT KB ARTICLE INFORMATION FOR CVE-2020-0609 & 0610:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610
Windows Remote Desktop Client vulnerability – CVE-2020-0611
According to Microsoft, “A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client.”
CVE-2020-0611 requires the user to connect to a malicious server via social engineering, DNS poisoning, a man-in the-middle attack, or by the attacker compromising a legitimate server.
The Microsoft Security Advisory for CVE-2020-0611 addresses this vulnerability.
MICROSOFT KB ARTICLE INFORMATION FOR CVE-2020-0611:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611
Impacts:
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:
- Temporary or permanent loss of sensitive or proprietary information
- Disruption to regular operations
- Financial losses relating to restoring systems and files
- Potential harm to an organization’s reputation
References:
[1] Microsoft Security Advisory for CVE-2020-0601
[2] NSA Cybersecurity Advisory: Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers
[3] Microsoft Security Advisory for CVE-2020-0609
[4] Microsoft Security Advisory for CVE-2020-0610
[5] Microsoft Security Advisory for CVE-2020-0611
[6] CISA Emergency Directive 20-02
Tags: #microsoft #securityalerts #security #patch #windows #patchtuesday
Be the first to comment