On January 14th, 2020 (Patch Tuesday), Microsoft released patches for a severe vulnerability Window’s cryptographic subsystems and critical vulnerabilities in Windows Server Remote Desktop (RDP) Gateway. These Microsoft vulnerabilities are considered critical and the Cyber Fusion Center strongly recommends applying these patches as soon as possible. Kudelski Security expects active exploitation in the near future.

The U.S National Security Agency released an advisory regarding a vulnerability in a cryptographic library (Crypt32.dll) used in Microsoft Windows 10, Windows Server 2016, and Windows Server 2019 (CVE-2020-0601). This issue impacts the verification of elliptic curve cryptography (ECC) signatures in security certificates. The verification of such certificates has been discovered to be defective and may allow an attacker to incorrectly validate a forged certificate. Successful exploitation of this issue has been shown to allow for interception, modification, and decryption of TLS / HTTP(s) traffic by attackers in privileged network positions. Additionally, this may allow attackers to successfully bypass code-signing requirements on Windows systems or bypass Device Guard application whitelisting solutions.

Kudelski Security’s research team has been able to successfully exploit this vulnerability to issue spoofed HTTPs certificates considered valid by Windows 10, Windows Server 2016, and Windows Server 2019:

https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/

Additionally, Kudelski Security has released a public POC available on our Github page:

https://github.com/kudelskisecurity/chainoffools

This “Patch Tuesday” also included patches for multiple critical vulnerabilities in Windows Remote Desktop (RDP) Gateways. These critical vulnerabilities lead to unauthenticated Remote Code Execution (RCE) with SYSTEM privileges. Such vulnerabilities could be leveraged by attackers to remotely compromise systems without authentication or user interaction. Remote Desktop Gateways allow organizations to centralize Remote Desktop services and provide remote access to Windows endpoints and servers without a VPN, provide web-based RDP user experiences, and more.

Description

Microsoft released patches for a severe vulnerability Window’s cryptographic subsystems and critical vulnerabilities in Windows Server Remote Desktop (RDP) Gateway. Kudelski Security expects active exploitation in the near future. As such, the Cyber Fusion Center strongly recommends mitigating these issues as soon as possible.

The Microsoft Windows cryptographic subsystem vulnerability was publicly disclosed jointly by Microsoft and the U.S National Security Agency (NSA) after being successfully patched by Microsoft. Microsoft and the NSA have publicly stated that that they’ve not observed any exploitation of this vulnerability. Additionally, Kudelski Security has been able to leverage this vulnerability to successfully to issue spoofed HTTPs certificates considered valid by Windows 10, Windows Server 2016, and Windows Server 2019 and has released public Proof Of Concept code (POC) on our github page. Please review the sources linked in this document for our blog post and links to the POC code.

The vulnerability is in a cryptographic library (Crypt32.dll) used in Microsoft Windows 10, Windows Server 2016, and Windows Server 2019 (CVE-2020-0601). This issue impacts the verification of elliptic curve cryptography (ECC) signatures in security certificates. The verification of such certificates has been discovered to be defective and may allow an attacker to incorrectly validate a forged certificate. Successful exploitation of this issue has been shown to allow for interception, modification, and decryption of TLS / HTTP(s) traffic by attackers in privileged network positions. Additionally, this may allow attackers to successfully bypass code-signing requirements on Windows systems or bypass Windows Device Guard or other application whitelisting solutions.

Additionally, Microsoft has released patches for multiple critical vulnerabilities in Windows Remote Desktop (RDP) Gateways. These critical vulnerabilities may lead to unauthenticated Remote Code Execution (RCE) with SYSTEM privileges. These vulnerabilities could be leveraged by attackers to remotely compromise systems without requiring to validate credentials or user interaction. Remote Desktop Gateways allow organizations to centralize Remote Desktop services and provide remote access to Windows endpoints and servers without a VPN, provide web-based RDP user experiences, and more.

It’s important to note that Remote Desktop (RD) Gateway is a separate application rather traditional Remote Desktop Protocol. Organizations looking to identify any potentially exposed RD gateways should look for systems exposing UDP port 3391 (not the traditional RDP Port on TCP 3389) along with Remote Desktop Web Services on HTTPs (TCP/443).

Kudelski Security expects to see attackers leveraging these Remote Desktop Gateway vulnerabilities to compromise unpatched systems in the near future due to the prevalence of the technology and the ability to compromise critical systems without authentication or user interaction. As such, we strongly recommend that clients apply these patches as quickly as possible.

Detection

Microsoft Windows Crypto Subsystem issue

Organizations who do not currently have Kudelski Security Cyber Fusion Center’s Threat Monitoring and Hunting services may want to ensure Windows Application Logs are being centrally collected and monitored. Microsoft has introduced a new Windows Event source named “Microsoft-Windows-Audit-CVE”. Microsoft Windows will now write events to the local Windows application logs with this source if there are attempts to exploit this vulnerability. Note that the Windows Event source will only be available after the latest patches have been applied.

Additionally, it’s possible to detect potentially invalid TLS certificates being used to exploit this vulnerability by intercepting TLS packets and checking certificate signature for uncommon elliptic curve parameters. By analyzing TLS traffic, the “ServerHello/Certificate/ServerHelloDone” packet contains the certificate which should be checked for possible forgery.

Additionally, the Cyber Fusion Center is actively working with our vendor partners to ensure we can actively detect attempted exploitation of this vulnerability. For customers with the Cyber Fusion Center’s Endpoint Detection and Response service will be proactive notified if potential exploitation is detected.

Microsoft Remote Desktop Gateway issues

Organizations who do not currently have Kudelski Security Cyber Fusion Center’s Threat Monitoring and Hunting services or our vulnerability scanning services may want to identify exposed versions of Web Services for remote desktop or systems that respond to UDP port 3391. Several vendors have released IDS or IPS detection signatures.

Additionally, the Cyber Fusion Center is actively working with our vendor partners to ensure we can actively detect attempted exploitation of these vulnerabilities. For customers with the Cyber Fusion Center’s Endpoint Detection and Response service will be proactive notified if potential exploitation is detected.

Mitigation and Response

The Cyber Fusion Center is actively working with our vendor partners to ensure we can actively detect attempted exploitation of these vulnerabilities. For customers with the Cyber Fusion Center’s Endpoint Detection and Response or Threat Monitoring services will be proactive notified if potential exploitation is detected.

For customers with the Cyber Fusion Center’s vulnerability scanning service will be proactively notified if any vulnerable Remote Desktop gateway systems are detected.

Sources