On January 14, 2020 Microsoft issued patches to correct critical vulnerabilities in Windows and Windows Server that have high potential of being weaponized and used in attacks against U.S. organizations and government entities.
Each Patch Tuesday, Microsoft fixes recently discovered vulnerabilities some of which are being actively exploited in the wild. None of the vulnerabilities addressed by Microsoft this month are being exploited in the wild at the time the patches were released, but the severity of the vulnerabilities has prompted the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services’ Office for Civil Rights to issue emergency directives urging immediate patching to correct the flaws. There is a strong probability of the weaponized exploits for the vulnerabilities being developed and used in widespread attacks in the near future.
The CISA emergency directive was sent to all federal agencies instructing them to make sure the vulnerabilities are corrected on all endpoints within 10 days, and for technical and/or management controls to be implemented on all newly provisioned devices and previously disconnected endpoints.
The OCR emergency directive to healthcare and public health organizations warns that immediate patching is required due the likelihood of the vulnerabilities being weaponized, the extensive use of vulnerable software platforms in healthcare, and the high potential for a compromise of integrity and confidentiality of information.
One vulnerability – CVE-2020-0601 – was discovered by the National Security Agency and was reported to Microsoft. This is the first time that the NSA has reported a vulnerability to a software vendor rather than keeping the vulnerability under wraps for use in its own offensive activities. The decision appears to have been taken due to the high potential of the vulnerability being discovered and weaponized and used in widespread attacks in the U.S.
The NSA has rated the vulnerability critical, although Microsoft has rated it important, but the seriousness of the vulnerability should not be underestimated due to the potential for it to be weaponized and used by remote threat actors to intercept sensitive data, gain access to networks, and install malware.
The vulnerability is present in the Windows CryptoAPI and is due to how it validates Elliptic Curve Cryptography (ECC) certificates. If exploited, an attacker could sign malicious code with a seemingly legitimate ECC certificate to make it appear that the malicious code has been signed by a trusted organization. The flaw could also be exploited to decrypt, modify, or inject data on user connections without detection in a man-in-the-middle attack. The flaw does not only affect Windows and Windows server, but also browsers and applications that rely on the Windows CryptoAPI, of which there are many.
“The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners,” warns the NSA.
Microsoft has also patched three critical vulnerabilities in Windows Remote Desktop. The flaws could be exploited remotely with no user interaction required. The vulnerabilities are all pre-authentication and could be exploited by sending a specially crafted packet to a vulnerable server.
CVE-2020-0609 and CVE-2020-0610 could allow remote code execution on a vulnerable server allowing programs to be installed and data to be stolen, modified, or deleted. CVE-2020-0612 could be exploited in a denial of service attack which would crash the RDP system.
The vulnerabilities are in the Windows Remote Desktop Client and affect all supported versions of Windows and Windows Server. RDP Gateway Server is also affected.
Prompt patching is essential. There are no workarounds or other mitigations that will prevent exploitation.