Microsoft issued the January 2020 Security Updates that include 49 unique vulnerability fixes, 8 of those rated critical and 29 rated important. One of the patches addresses a CryptoAPI Spoofing vulnerability CVE-2020-0601. DHS CISA also issued an emergency directive with recommendations to patch this Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client.
The security updates address vulnerabilities in multiple Microsoft products to include:
- .NET Core
- .NET Framework
- ASP.NET Core
- Internet Explorer
- Microsoft Dynamics
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Windows
- OneDrive for Android.
Microsoft has provided patches for each of the vulnerabilities and summarized in the January 2020 Security Updates Release Notes.
CISA Emergency Alerts
The Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive and Critical Alert to patch critical vulnerabilities impacting Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client.
“CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information,” CISA stated in in the Emergency Directive.
Each of these patches are included in the January patch updates.
CryptoAPI spoofing vulnerability (CVE-2020-0601)
This CryptoAPI spoofing vulnerability impacts all Windows 10 operating systems, as well as Windows Server versions 2016 and 2019.
The spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
According to Microsoft, “an attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”
To add, Microsoft said “a successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”
Windows RD Gateway Vulnerabilities (CVE-2020-0609 and CVE-2020-0610)
These vulnerabilities affect Windows Remote Desktop Client and RD Gateway Server. The versions impacted include Windows Server 2012 (and newer). To add, CVE-2020-0611 impacts Windows 7 and newer.
“A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction,” Microsoft warned in the advisory.
Microsoft also confirmed “exploitation is more likely” for CVE-2020-0609 and CVE-2020-0610.
Windows Remote Desktop Client Vulnerability (CVE-2020-0611)
According to Microsoft, “a remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client.”
See Microsoft advisory CVE-2020-0611 for details.
Readers can also check out more vulnerability and patch details in Microsoft’s Security Update Guide.