This past Tuesday, January 14th was quite the Patch Tuesday from Microsoft. We’re going to take a little bit of time to talk about some of the more critical vulnerabilities. Specifically, CVE 2020-0601 (CryptoAPI, “Curveball”), 2020-0609 (Remote Desktop Gateway remote code execution), and 2020-0610 (Remote Desktop Gateway RCE).
CVE-2020-0601 Microsoft CryptoAPI, AKA “Curveball”
This particular vulnerability has stolen the show this month. We sent out a brief newsletter to our customers describing this vulnerability and labeling it as a priority for patching, but I wanted to discuss this vulnerability a little bit further. This is due to a couple of different interesting factors.
First and foremost, this issue was reported by the National Security Agency, who have been in hot water the past few years regarding the loss of various hacking tools and vulnerabilities presumably utilized as a part of their intelligence missions. These tools have since been repurposed and utilized by various bad actors all over the internet from ransomware operators to rival nation-states. Regardless of where you stand on the NSA and how they do their job, it's a net positive that they reported this issue.
So, what exactly does this vulnerability exploit? The Microsoft CryptoAPI is, more or less, the basis of all cryptological functionality (e.g. encryption and decryption of data) on Windows. Its code is kind of fundamental to how the operating system establishes trust with various functions, applications, websites, etc.
This is a vulnerability in “crypt32.dll”, which is a core component for handling certificates and cryptographic messaging. In plain English, this vulnerability affects the Operating System’s ability to verify legitimately signed executables and/or the certificates used to protect websites utilizing TLS/SSL. This vulnerability could allow attackers to spoof website and/or code signing certificates, fooling the Operating System into trusting code or websites that should not be trusted.
Microsoft has an advisory for the vulnerability, and the NSA has written a detailed report (pdf link) on this issue as well. On top of that, several security researchers and organizations (warning: this is a link that WILL test your web browser if you click it) have released Proof of Concept code and websites that can be used to test whether or not your systems are affected by this vulnerability.
Mitigations for this vulnerability are rather limited. The NSA writeup suggests you can use SSL/TLS interception devices that are NOT Windows-based to validate the SSL certificates and protect your users from spoofed SSL certs. Aside from that? You can inspect the code signing certificates for executables manually. I’m not saying it's a good mitigation, but it is a mitigation.
CVE-2020-0609, 2020-0610 Remote Desktop Gateway RCEs
Remote Desktop Gateway is probably best described as a sort of VPN or Gateway that can be used to secure Remote Desktop Protocol access to your systems without having to expose RDP connections to the world. It's like a Citrix gateway, except built by Microsoft–which is an interesting comparison, considering both are plagued with Remote Code Execution vulnerabilities currently.
As of my writing this, there is little that is publicly available in terms of what aspects of Remote Desktop Gateway this vulnerability affects, other than it being a pre-authentication vulnerability (that is, attackers don’t need proper credentials to attack the service). As of yet, there are no publicly available proof of concept exploits; however, researchers have been able to crash the service, and they are claiming to have written tools to scan for the vulnerability. This likely means that a public proof of concept exploit and/or a vulnerability scanner is well on its way.
Edit - 1/21/2020: A few days ago, a blog post by Kryptos Logic showed the results of doing a patch diff for CVE-2020-0909 and 2020-0610. Patch diff’ing is when you take the contents of a patch and compare it against the code it is modifying. This allows you to determine the nature of the vulnerability being patched. In this case, these vulnerabilities both involve Remote Desktop Gateway’s capability to handle UDP connections.
CVE-2020-0609 is a vulnerability that has to do with how Remote Desktop Gateway is programmed to reassemble fragmented UDP streams. As many are aware, UDP is a connectionless, fire-and-forget network protocol that does not care about reliability. It is in no way session oriented. Since RDG handles UDP connections, it's important that they implement something in place to ensure that UDP packets and fragments are in the proper order. So, there is a buffer in memory that is allocated for receiving UDP packets as a part of connection and reassembling the stream of UDP data in the proper order. The vulnerability is that data can be written outside of the memory/buffer allocated for stream reassembly.
CVE-2020-0610 is a vulnerability that has to do with how RDG keeps track of the number of UDP fragments it is reassembling. RDG can handle a maximum of 64 UDP fragments, whereas the IPv4 network field fragment_id has a maximum value of 65,535, an order of magnitude higher. The end result is the ability to write a value outside of the bounds of the array used for tracking these fragments. While the blog post acknowledges that this is a miniscule amount of data, it is still a cause for concern.
So, what can be done to mitigate this if you cannot patch it? Well, the vulnerability is in how RDG handles UDP connections specifically, so you can perform one of two actions to mitigate the vulnerability:
- Block access to port 3191/UDP to your Remote Desktop Gateway servers
- Disable the UDP transport option for the Remote Desktop Gateway servers
Honorable Mention: CVE-2020-0654 OneDrive for Android
The last Patch Tuesday entry is for the OneDrive client for Google Android smart devices. OneDrive is Microsoft's cloud storage service.
The vulnerability is described as a security bypass that could allow attackers with physical access to the Android device to potentially bypass passcodes or fingerprint biometric security. Other than those details, the advisory page mentions that “The security update addresses the vulnerability by correcting the way Microsoft OneDrive App for Android handles sharing links.”
While not as high priority as the previously mentioned vulnerabilities, it is advised to keep your Android devices up to date.
Keep It Secret, Keep It Safe
As always, we at Hurricane Labs wish you the best, and we strive to keep you informed on the latest threats to your users and data, as well as what you can do to protect yourself. Until next time, stay safe.