It has come to our attention that there is a security risk that could affect some customers. It involves Windows Remote Desktop Gateway (RD Gateway) and Windows Remote Desktop Client vulnerabilities.
These vulnerabilities could allow an attacker to take over vulnerable Windows servers or Windows endpoints by initiating an RDP connection and sending specially crafted requests. If successfully exploited this code execution occurs at the level of the server and do not require authentication or user interaction. An attacker could then install programs, view, and change or delete data.
Microsoft has released a High-level security advisory. They have said that there is a critical Windows RD Gateway and Windows Remote Desktop Client vulnerabilities – CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611:
- These vulnerabilities affect Windows Server 2012 and newer. In addition, CVE-2020-0611 affects Windows 7 and newer.
Currently, “these vulnerabilities—in the Windows Remote Desktop Client and RD Gateway Server – allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.”[1]
Windows RD Gateway Vulnerabilities – CVE-2020-0609/CVE-2020-0610
- Affects all supported Windows Server versions (Server 2012 and newer; support for Server 2008 ends January 14, 2020);
- Occurs pre-authentication; and
- Requires no user interaction to perform.
Windows Remote Desktop Client Vulnerability – CVE-2020-0611
- CVE-2020-0611 requires the user to connect to a malicious server via social engineering, Domain Name Server poisoning, a man in the middle attack, or by the attacker compromising a legitimate server.
Microsoft has already released software fixes to address this vulnerability as part of their monthly Patch Tuesday.
We advise that you patch the affect machines ASAP by installing all January 2020 patches to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems.
As of the time of this Security Advisory Notice we are unaware of active exploitation of these vulnerabilities. However, because patches have been publicly released, the underlying vulnerabilities can be reverse-engineered to create exploits that target unpatched systems.
How do I Remediate?
Apply the relevant patches for Windows RD Gateway Vulnerabilities – CVE-2020-0609/CVE-2020-0610 from the below links:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610
Prioritise patching by starting with mission critical systems, internet facing systems, and networked servers. Organizations should then prioritize patching other affected IT/OT assets.
Apply the relevant patch for Windows Remote Desktop Client Vulnerability – CVE-2020-0611 from the below link:
Release Notes available here:
How Can Ward Help?
If you would like additional information or would like support in assessing and protecting your environment, please contact us.
References:
Alert (AA20-014A), Critical Vulnerabilities in Microsoft Windows Operating Systems, Available from: