CredManifest: Azure AD Information Disclosure Leading to Privilege Escalation & Free Tool Released

CredManifest: Azure AD Information Disclosure Leading to Privilege Escalation & Free Tool Released

Summary

On November 17th, 2021 Microsoft disclosed the existence of a high severity information disclosure vulnerability impacting Azure Active Directory (Azure AD) that could allow authenticated Azure AD user to escalate their privileges. Azure AD is Microsoft’s Identity and Access Management system used by Azure Cloud and Office 365. The vulnerability, dubbed “CredManifest” (CVE-2021-42306) existed because Azure incorrectly wrote private certificates data in cleartext in Application and Service Principal Manifests. These manifests can be read by any authenticated Azure AD user by default.

Successful exploitation of this vulnerability could have allowed an attacker with access to any account in target’s Azure AD environment to read private certificates from manifests. Attackers could then leverage those certificates to authenticate as the application with the “contributor” role, granting them full access to manage all Azure resources.

Microsoft has since mitigated the vulnerability by restricting access to the “keyCredentials” property in Application and Service Principal manifests as of October 30th, 2021. Restricting access to the property which contains the private certificate data ensures that attackers can no longer access the sensitive data. However, it’s possible that attackers have gathered these credentials prior to Microsoft becoming aware of the issue and thus may still have access to privileged credentials for impacted environments. The Cyber Fusion Center strongly recommends that organizations identify impacted Application registration and Service Principals and rotate those certificates as quickly as possible and investigate Azure AD audit logs for suspicious activity from associated accounts.

For additional details on how to identify impacted App registrations & Service Principals, please review the “solution” section of this advisory.

Affected Azure AD Services

Azure AD Service Impacted Scenarios
Azure AD Automation with “Run As” accounts enabled Any Azure AD automation accounts created with “Run As” accounts generated between 10/15/2020 – 10/15/2021 are impacted.

 

Automation accounts created with Managed Identities are not impacted.

Azure Migrate service Azure Migrate appliances registered prior to 11/02/2021 or registered with auto-update disabled are impacted.
Azure Site Recovery (ASR) Users who deployed the preview version of VMware to Azure DR with Azure Site Recovery before 11/01/2021 are impacted.
Azure AD Applications and Service Principals Please review the “solution” section of this advisory to identify impacted Azure AD Apps & Service Principals.

Solution

Microsoft has update Azure software to mitigate and resolve the issue, however certain Application and Service Principal credentials must be rotated to fully remediate the issue. Please follow the guidance listed in this advisory and Microsoft’s remediation guide to identify credentials that must be rotated.

CFC Releases Free Tool to check for impacted Applications & Accounts

The Cyber Fusion Center has also created a free tool to allow organizations to identify impacted Automation “Run-As” accounts, Application Registrations, and Service Principals. The tool allows Azure AD administrators to easily see impacted credentials that need to be rotated. The free tool is available at the following location:

https://credmanifest.kudelskisecurity.com

Once an organizational administrator has granted read-only content to the tool, organizations will be able to see identify impacted Applications:

A listing of applications that are impacted and should have their credentials rotated

Manually Identifying Impacted Applications, Service Principals, and Run-As Accounts

Microsoft has enhanced manifests on impacted objects to return new properties that help identify impacted credentials that must be rotated. Organizations can identify impacted Azure AD Aps and Service Principals by looking a property of “hasExtendedValue” within the “keyCredentials” object being set to true.

Below is an example of an *impacted* credential (notice the hasExtendedValue property set to True):

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#applications(keyCredentials)/$entity",
    "keyCredentials": [
        {
            "customKeyIdentifier": "7A28B6653D0319E69D27E74580E7C91D765AF867",
            "endDateTime": "2021-05-21T03:35:32Z",
            "keyId": "772faab4-9b59-456e-b73e-baadbfa4b92d",
            "startDateTime": "2020-05-21T03:15:32Z",
            "type": "AsymmetricX509Cert",
            "usage": "Verify",
            "key": "MIIDKzCC……",
            "displayName": "CN=MyCert",
            "hasExtendedValue": True
        }
    ]
}

Free Microsoft Scripts to identify impacted Applications, Service Principals, and Run-As Accounts.

Additionally, Microsoft has made several scripts and automation tooling available to identify and remediate impacted Azure AD App Registrations and Service Principals here:

https://github.com/microsoft/aad-app-credential-tools

What the Cyber Fusion Center is doing

The Cyber Fusion Center is actively working to develop tooling to help clients identify impacted App registrations and Service Principals. The CFC will engage directly with clients who subscribe to CFC services that required Azure AD App Registrations to support data and alert consumption (such as the CFC’s MDR For Endpoint with Microsoft Defender for Endpoint and MDR for Cloud with Azure / Office 365) to identify if they are impacted, and if necessary, rotate credentials.

The Cyber Fusion Center will engage with clients to directly coordinate the rotation of impacted certificates and credentials and ensure no impact to the delivery of your CFC services. Clients working to mitigate impacted Azure AD App registrations should coordinate with the CFC to ensure we can continue to receive critical data required to deliver your services.

Temporary Workarounds and Mitigations

Microsoft has proactively mitigated the issue by limiting access to private certificate data from manifests. This has prevented attackers from gaining access to private certificates since 10/30/2021. However, impacted credentials must still be rotated to ensure attackers who may have exploited this vulnerability prior to mitigation do not retain privileged access to Azure AD environments.

Organizations who identify impacted App registrations and Service Principals should review Azure AD audit logs for sign of abuse of these credentials as soon as possible.

Sources

 

Security Advisory: Kaseya VSA Supply Chain Compromise Used to Execute REvil Ransomware

Security Advisory: Kaseya VSA Supply Chain Compromise Used to Execute REvil Ransomware

SUMMARY

On July 2nd, a large-scale supply chain attack operation by the REvil ransomware group affected multiple I.T Managed Service Providers (MSPs) and leveraged the I.T MSP’s Kaseya VSA instances to infect the MSP’s clients. As of this writing the attack campaign has affected 60 I.T MSPs and over 1500 end clients.

The attack was operated by compromising self-hosted Kayseya VSA servers. The threat actors appear to have gained access by abusing authentication bypass and command injection bugs present on the management web UI. Once threat actors gained access to the VSA servers, they quickly locked legitimate users out of the systems and delivered a malicious payload to end user systems the compromised I.T management tool.

The Kudelski Security Cyber Fusion Center and Kudelski Group were not affected as this solution is not leveraged internally nor externally.

Affected Systems

All self-hosted VSA servers. Unfortunately, there is currently no\ patch available, as such it is strongly recommended to keep the servers shutdown.

ATTACK OVERVIEW

Once threat actors used their initial access to VSA servers they locked out administrators and leveraged VSA’s update mechanism to deploy their malware as a base64 encoded “.crt” file. The threat actors then used a powershell command to disable Windows Defender Antivirus, decode the file and save it in the c:\kworking directory of the Kaseya VSA software (which was typically excluded from AV scanning as recommended by Kaseya). Finally, the agent.exe malware dropper is started by the Kaseya agentmon.exe binary, gaining system level privileges.

The malware dropper extracted from the encoded agent.crt file was digitally signed with a valid digital signature using the following information:

• Name: PB03 TRANSPORT LTD.
• Email: [Brouilettebusiness@outlook[.]com]
• SUBJECT: CN=Sectigo RSA Code Signing, CAO=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
• Serial #: 119acead668bad57a48b4f42f294f8f0
• Issuer: https://sectigo[.]com/

Once executed, the dropper writes the following files to the c:\Windows path:

• MsMpEng.exe – a legitimate but very outdated Windows Defender executable
• Mpsvc.dll – the encryptor payload complied as a dynamic link library that is sideloaded by the vulnerable Defender executable

Known associated IOCs (SHA256):

• agent.exe (d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e)
• mpsvc.dll (e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2)
• mpsvc.dll (8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd)

The threat actors appear to have performed initial exploitation activity from the following IP addresses:

• 18.223.199[.]234 (Amazon Web Services)
• 161.35.239[.]148 (Digital Ocean)
• 35.226.94[.]113 (Google Cloud)
• 162.253.124[.]162 (Sapioterra)

CFC Monitoring

Cyber Fusion Center has been actively monitoring this attack campaign and continues to track the situation to keep our clients updated. The CFC will perform threat hunting on the IOCs listed in this advisory and any updated IOCs released in the future.

Additionally, the techniques leveraged by the threat actors in this attack campaign are not unique or novel, several threat actors have leveraged PowerShell cmdlets to disable security solutions in the past and often use the Certutil binary to decode or download malicious files. The CFC is able to actively monitor and response to these techniques leveraging Endpoint Detection and Response (EDR) tooling.

Patching

Kaseya’s R&D team was able to replicate the attack vector and is working on the process of remediating the malicious code and applying necessary patches.

Temporary Mitigations

All Kaseya hosted VSA servers as part of Kaseya’s SaaS solution were put into maintenance mode by Kaseya to prevent further exploitation.

Self-hosted VSA servers should remain shutdown until Kaseya provides a patch for the issue.

References

https://old.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/
https://status.kaseya.net/pages/maintenance/5a317d8a2e604604d65c1c76/60df588ba49d1e05371e9d8b
https://twitter.com/markloman/status/1411035534554808331?s=12
https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-nowamidst-cascading-revil-attack-against-msps-clients/
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689

 

Microsoft Type 1 Font Parsing Critical 0-Day Remote Code Execution Vulnerabilities

Microsoft Type 1 Font Parsing Critical 0-Day Remote Code Execution Vulnerabilities

Summary

On March 23rd, 2020 Microsoft publicly disclosed the existence of two critical 0-Day vulnerabilities in all recent versions of the Microsoft Windows operating system. Microsoft is aware of limited targeted attacks that leverage these 0-Day vulnerabilities and has provided guidance on how to temporarily mitigate the exploitation of these unpatched vulnerabilities. Patches for these vulnerabilities are not expected until April’s “Patch Tuesday” release.

The 2 (two) 0-Day Remote Code Execution (RCE) vulnerabilities exist because of the way the Windows Adobe Type Library improperly handles a specially crafted font file in the “Adobe Type 1 PostScript” format. This Adobe Type Library is included by default in all Windows systems and, as such, all recent Microsoft Windows systems are impacted.

Successful exploitation of this vulnerability requires that attackers trick users into either previewing or opening a maliciously crafted document. Exploitation will likely be in the form of a phishing attempt with a malicious document attached. Attackers could also leverage Web Distributed Authoring and Versioning (WebDAV) based HTTP requests to load previews of the maliciously crafted font files in order to exploit these vulnerabilities.

Systems running Windows 10 are still vulnerable to potential exploitation but built-in mitigations make successful exploitation much more difficult. Windows 10 leverages isolated “App Containers” with limited privileges. The use of these isolated “App Containers” significantly increases the difficulty of successfully compromising a system by exploiting these issues but does not prevent exploitation.

For additional details on how Windows 10 mitigates these types of exploits, review Microsoft’s article on Windows 10’s zero-day exploit mitigation features (including mitigating font parsing vulnerabilities).

The Cyber Fusion Center strongly recommends all clients deploy some mitigations to prevent potential exploitation (especially on non-Windows 10 systems). Mitigation options include:

  • Disabling the Preview Pane and Details Pane in Windows Explorer
  • Disabling the WebClient (for WebDAV) service
  • Renaming the impacted Dynamic Linked Library (DLL) file (ATMFD.DLL)

For additional details on how to successfully mitigate these issues, please review the “Temporary Mitigation” section of this advisory.

Affected software

  • Windows 10 (All versions)
  • Windows 8.1 (All versions)
  • Windows 7 (All versions)
  • Windows Server 2008 / R2 (All versions)
  • Windows Server 2012 / R2 (All versions)
  • Windows Server 2016 (All versions)
  • Windows Server 2019 (All versions)

Impact

Successful exploitation of these vulnerabilities can provide attackers kernel level privileges on impacted Windows systems. Such access enables attackers take complete control of impacted systems.

Temporary Mitigation & Workarounds

The Cyber Fusion Center strongly recommends all clients deploy some mitigations to prevent potential exploitation (Especially on non-Windows 10 systems). Mitigation options include:

  • Disabling the Preview Pane and Details Pane in Windows Explorer
  • Disabling the WebClient (for WebDAV) service
  • Renaming the impacted DLL file (ATMFD.DLL)

The sections below describe how to apply these temporary workarounds to prevent the exploitation of these 0-Day vulnerabilities.

Disabling the Preview Pane and Details Pane in Windows Explorer (Windows Server 2008 (R2), Windows 7, Windows Server 2012 (R2), and Windows 8.1):

Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.

To disable these panes, perform the following steps:

  1. Open Windows Explorer, click Organize, and then click Layout.
  2. Clear both the Details pane and Preview pane menu options.
  3. Click Organize, and then click Folder and search options.
  4. Click the View
  5. Under Advanced settings, check the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

Disabling the Preview Pane and Details Pane in Windows Explorer (Windows Server 2016, Windows 10, and Windows Server 2019):

To disable these panes, perform the following steps:

  1. Open Windows Explorer, click the View
  2. Clear both the Details pane and Preview pane menu options.
  3. Click Options, and then click Change folder and search options.
  4. Click the View
  5. Under Advanced settings, check the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

Disabling the WebDAV WebClient Service

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service.

Note: Even after disabling the WebClient Service, it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs already installed on the targeted computer or programs which are available via local network file shares. However, this mitigation will now prompt users before running arbitrary software from non-local sources (such as the internet).

To disable the WebClient Service, perform the following steps:

  1. Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
  2. Right-click WebClient service and select Properties.
  3. Change the Startup type to Disabled. If the service is running, click Stop.
  4. Click OK and exit the management application.

Rename the impacted Dynamic Link Library (DLL) ATMFD.DLL on 32-bit systems

  1. Enter the following commands at an administrative command prompt:
cd "%windir%\system32"

takeown.exe /f atmfd.dll

icacls.exe atmfd.dll /save atmfd.dll.acl

icacls.exe atmfd.dll /grant Administrators:(F)

rename atmfd.dll x-atmfd.dll

  1. Restart the system

Rename the impacted Dynamic Link Library (DLL) ATMFD.DLL on 64-bit systems

  1. Enter the following commands at an administrative command prompt:
cd "%windir%\system32"

      takeown.exe /f atmfd.dll

      icacls.exe atmfd.dll /save atmfd.dll.acl

      icacls.exe atmfd.dll /grant Administrators:(F)

      rename atmfd.dll x-atmfd.dll

      cd "%windir%\syswow64"

      takeown.exe /f atmfd.dll

      icacls.exe atmfd.dll /save atmfd.dll.acl

      icacls.exe atmfd.dll /grant Administrators:(F)

      rename atmfd.dll x-atmfd.dll
  1. Restart the system.

Disable the Adobe Type Manager Library via registry on Windows 8.1 or below (not recommended)

It’s possible for Windows administrators to disable the Adobe Type Manager Library by modifying the Windows registry on Windows 8.1 and below.

However, disabling the library in this method may impact applications that rely on embedded font technology Disabling ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. For details on how to disable ATMDF via registry changes please review Microsoft’s Security Advisory.

For details on potential impacts of these workarounds, or details on how to roll back these changes, please review Microsoft’s security advisory.

Sources

Security Advisory: Microsoft Server Message Block 3 (SMBv3) Remote Code Execution Vulnerability

Security Advisory: Microsoft Server Message Block 3 (SMBv3) Remote Code Execution Vulnerability

Updated on March 12th, 2020: to reflect that Microsoft has now made a patch for the vulnerability available. As such, we’ve updated the advisory reflects updated mitigations.   

Summary 

On March 10tha critical Remote Code Execution (RCE) vulnerability in the Microsoft Server Message Block (SMBv3) protocol was inadvertently disclosed. The vulnerability, known as CVE-2020-0796, is caused by how newer Windows operating systems handle certain requests, specifically compressed SMBv3 packetsMicrosoft intended to release a patch for this vulnerability as part of March’s “Patch Tuesday”, however, the patch appears to have been pulled at the last minute. This led to the inadvertent disclosure of the issue before a patch is available. The flaw, considered critical, and could allow attackers to execute arbitrary code without user interaction and without authentication.  

This critical vulnerability is considered “wormable” as it leads to pre-authenticated remote code execution of the Windows server implementation of SMBv3To exploit the vulnerability on a Windows machine acting as an “SMB server”, unauthenticated attackers can simply send a maliciously crafted packet to a targeted SMBv3 Server. Once an attacker has successfully compromised one system, they can attempt to automatically exploit other reachable SMB servers. However, to exploit an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it 

The Windows implementation of the SMB protocol was recently exploited by WannaCry, NotPetya and other recent attacks, enabled by a leak of reliable equation group exploits in 2017. However, Due to the difficulty in successfully and reliably exploiting such vulnerabilities, the Cyber Fusion Center does not expect to see immediate mass exploitation attempts. There are currently no publicly available exploits targeting this vulnerability and there are several Microsoft Windows exploit mitigations that make building a successful and reliable exploit very difficult.  

While they are no current public exploits, the Cyber Fusion Center strongly recommends mitigating the vulnerability as soon as possible.  

Note: On March 12, 2020, Microsoft released an out-of-band patch for this vulnerability. The Cyber Fusion Center strongly recommends that organizations apply the patch as soon as possible, especially on SMB servers such as Active Directory domain controllers and file shares. If it’s not possible to patch in the very near future, the Cyber Fusion Center recommends disabling compression for the SMBv3 protocol with the commands in the “Temporary Mitigations” section of this advisory.  

Affected software 

  • Microsoft Windows 10 Version 1903 (May 2019 update) 
  • Microsoft Windows 10 Version 1909 (v1909)  
  • Microsoft Windows Server Version 1903 (Server Core Installation) 
  • Microsoft Windows Server Version 1909 (Server Core Installation) 

Impact 

Attackers who successfully exploit this vulnerability can execute arbitrary code within the context of the SMBv3 process. The vulnerability is considered “wormable” as it allows for pre-authenticated remote code execution without any user interaction.  

Mitigation 

On March 12th, 2020 (one day after “Patch Tuesday”) Microsoft released out-of-band patches for this severe vulnerability in Window’s implementation of SMBv3 compression. The Cyber Fusion Center strongly recommends organizations apply this patch rather than use the temporary mitigations outlined below.  

The patch is available via the traditional Microsoft Update delivery process and on the Microsoft Security Response Centers website. 

Temporary Mitigation 

While there is no patch for this vulnerability yet, it’s possible to mitigate the issue on SMB servers by disabling support for compression on the SMBv3 protocol 

Windows administrators can disable compression to prevent unauthenticated attackers from exploiting the vulnerability on SMBv3 Servers by using the PowerShell command below. 

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force 

Important Information: 

  • No reboot Is required after making this change 
  • This workaround does not prevent exploitation of SMB clients 

If necessary, you can rollback this change with the Powershell command bellow: 

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 0 -Force 

Additional Recommendations 

The Cyber Fusion Center also strongly recommends that organizations mitigate the potential of an attack on a Windows 10 client by blocking all outbound SMB (TCP port 445) on corporate firewalls.  

Additionally, Microsoft has published guidelines for preventing lateral SMB connections and preventing SMB traffic from entering or leaving the corporate network provides details on how to mitigate this vulnerability and other attackers in the future: 

https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections 

Sources 

SECURITY ADVISORY: Multiple Critical Vulnerabilities On Windows Systems

SECURITY ADVISORY: Multiple Critical Vulnerabilities On Windows Systems

On January 14th, 2020 (Patch Tuesday), Microsoft released patches for a severe vulnerability Window’s cryptographic subsystems and critical vulnerabilities in Windows Server Remote Desktop (RDP) Gateway. These Microsoft vulnerabilities are considered critical and the Cyber Fusion Center strongly recommends applying these patches as soon as possible. Kudelski Security expects active exploitation in the near future.

The U.S National Security Agency released an advisory regarding a vulnerability in a cryptographic library (Crypt32.dll) used in Microsoft Windows 10, Windows Server 2016, and Windows Server 2019 (CVE-2020-0601). This issue impacts the verification of elliptic curve cryptography (ECC) signatures in security certificates. The verification of such certificates has been discovered to be defective and may allow an attacker to incorrectly validate a forged certificate. Successful exploitation of this issue has been shown to allow for interception, modification, and decryption of TLS / HTTP(s) traffic by attackers in privileged network positions. Additionally, this may allow attackers to successfully bypass code-signing requirements on Windows systems or bypass Device Guard application whitelisting solutions.

Kudelski Security’s research team has been able to successfully exploit this vulnerability to issue spoofed HTTPs certificates considered valid by Windows 10, Windows Server 2016, and Windows Server 2019:

https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/

Additionally, Kudelski Security has released a public POC available on our Github page:

https://github.com/kudelskisecurity/chainoffools

This “Patch Tuesday” also included patches for multiple critical vulnerabilities in Windows Remote Desktop (RDP) Gateways. These critical vulnerabilities lead to unauthenticated Remote Code Execution (RCE) with SYSTEM privileges. Such vulnerabilities could be leveraged by attackers to remotely compromise systems without authentication or user interaction. Remote Desktop Gateways allow organizations to centralize Remote Desktop services and provide remote access to Windows endpoints and servers without a VPN, provide web-based RDP user experiences, and more.

Description

Microsoft released patches for a severe vulnerability Window’s cryptographic subsystems and critical vulnerabilities in Windows Server Remote Desktop (RDP) Gateway. Kudelski Security expects active exploitation in the near future. As such, the Cyber Fusion Center strongly recommends mitigating these issues as soon as possible.

The Microsoft Windows cryptographic subsystem vulnerability was publicly disclosed jointly by Microsoft and the U.S National Security Agency (NSA) after being successfully patched by Microsoft. Microsoft and the NSA have publicly stated that that they’ve not observed any exploitation of this vulnerability. Additionally, Kudelski Security has been able to leverage this vulnerability to successfully to issue spoofed HTTPs certificates considered valid by Windows 10, Windows Server 2016, and Windows Server 2019 and has released public Proof Of Concept code (POC) on our github page. Please review the sources linked in this document for our blog post and links to the POC code.

The vulnerability is in a cryptographic library (Crypt32.dll) used in Microsoft Windows 10, Windows Server 2016, and Windows Server 2019 (CVE-2020-0601). This issue impacts the verification of elliptic curve cryptography (ECC) signatures in security certificates. The verification of such certificates has been discovered to be defective and may allow an attacker to incorrectly validate a forged certificate. Successful exploitation of this issue has been shown to allow for interception, modification, and decryption of TLS / HTTP(s) traffic by attackers in privileged network positions. Additionally, this may allow attackers to successfully bypass code-signing requirements on Windows systems or bypass Windows Device Guard or other application whitelisting solutions.

Additionally, Microsoft has released patches for multiple critical vulnerabilities in Windows Remote Desktop (RDP) Gateways. These critical vulnerabilities may lead to unauthenticated Remote Code Execution (RCE) with SYSTEM privileges. These vulnerabilities could be leveraged by attackers to remotely compromise systems without requiring to validate credentials or user interaction. Remote Desktop Gateways allow organizations to centralize Remote Desktop services and provide remote access to Windows endpoints and servers without a VPN, provide web-based RDP user experiences, and more.

It’s important to note that Remote Desktop (RD) Gateway is a separate application rather traditional Remote Desktop Protocol. Organizations looking to identify any potentially exposed RD gateways should look for systems exposing UDP port 3391 (not the traditional RDP Port on TCP 3389) along with Remote Desktop Web Services on HTTPs (TCP/443).

Kudelski Security expects to see attackers leveraging these Remote Desktop Gateway vulnerabilities to compromise unpatched systems in the near future due to the prevalence of the technology and the ability to compromise critical systems without authentication or user interaction. As such, we strongly recommend that clients apply these patches as quickly as possible.

Detection

Microsoft Windows Crypto Subsystem issue

Organizations who do not currently have Kudelski Security Cyber Fusion Center’s Threat Monitoring and Hunting services may want to ensure Windows Application Logs are being centrally collected and monitored. Microsoft has introduced a new Windows Event source named “Microsoft-Windows-Audit-CVE”. Microsoft Windows will now write events to the local Windows application logs with this source if there are attempts to exploit this vulnerability. Note that the Windows Event source will only be available after the latest patches have been applied.

Additionally, it’s possible to detect potentially invalid TLS certificates being used to exploit this vulnerability by intercepting TLS packets and checking certificate signature for uncommon elliptic curve parameters. By analyzing TLS traffic, the “ServerHello/Certificate/ServerHelloDone” packet contains the certificate which should be checked for possible forgery.

Additionally, the Cyber Fusion Center is actively working with our vendor partners to ensure we can actively detect attempted exploitation of this vulnerability. For customers with the Cyber Fusion Center’s Endpoint Detection and Response service will be proactive notified if potential exploitation is detected.

Microsoft Remote Desktop Gateway issues

Organizations who do not currently have Kudelski Security Cyber Fusion Center’s Threat Monitoring and Hunting services or our vulnerability scanning services may want to identify exposed versions of Web Services for remote desktop or systems that respond to UDP port 3391. Several vendors have released IDS or IPS detection signatures.

Additionally, the Cyber Fusion Center is actively working with our vendor partners to ensure we can actively detect attempted exploitation of these vulnerabilities. For customers with the Cyber Fusion Center’s Endpoint Detection and Response service will be proactive notified if potential exploitation is detected.

Mitigation and Response

The Cyber Fusion Center is actively working with our vendor partners to ensure we can actively detect attempted exploitation of these vulnerabilities. For customers with the Cyber Fusion Center’s Endpoint Detection and Response or Threat Monitoring services will be proactive notified if potential exploitation is detected.

For customers with the Cyber Fusion Center’s vulnerability scanning service will be proactively notified if any vulnerable Remote Desktop gateway systems are detected.

Sources