11:25am, 15 January 2020
TLP Rating:
Critical vulnerabilities in Microsoft Windows
As part of this month’s patch cycle, Microsoft has released an update which patches several critical vulnerabilities.
Three vulnerabilities are in the RDP service. CVE-2020-0609 and CVE-2020-0610 allow for unauthenticated remote execution in the RDP server. CVE-2020-0611 allows for remote execution in an RDP client when it connects to a malicious server.
Microsoft has also patched a critical vulnerability in Windows’ CryptoAPI. This vulnerability, CVE-2020-0601, would allow attackers to craft malicious X.509 cryptographic certificate chains which could spoof an arbitrary issuer.
What's happening
Systems affected
The CryptoAPI vulnerability (CVE-2020-0601 External Link ) affects:
- Windows Server 2016, 2019
- Windows 10
The RDP server vulnerabilities (CVE-2020-0609 External Link and CVE-2020-0610 External Link ) affects:
- Windows Server 2012, 2016, 2019
The RDP client vulnerability (CVE-2020-0611 External Link ) affects:
- Windows Server 2008, 2012, 2016, 2019
- Windows 7, 8.1, 10
What this means
While it is normal for Microsoft to release monthly patches, the January 2020 release addresses critical vulnerabilities that are likely to be exploited by attackers, either individually or in combination.
With CVE-2020-0609 and CVE-2020-0610 attackers can execute arbitrary code on open RDP services, allowing full access to the machine.
With CVE-2020-0611 attackers can execute arbitrary code on a victim’s machine when the victim’s RDP client connects to their malicious RDP server.
With CVE-2020-0601 attackers can man-in-the-middle encrypted traffic that relies on the Windows CryptoAPI for certificate verification. It would also allow for the spoofing of valid code signatures, including driver software, which enables malicious software to appear to have been created by trusted sources.
What to look for
How to tell if you're at risk
Systems are vulnerable if they’re running an affected version of Windows, and have not had the January 2020 Windows updates applied.
Affected versions are:
- Windows Server 2008, 2012, 2016, 2019
- Windows 7, 8.1, 10
What to do
Prevention
Ensure all vulnerable Windows systems on your network are patched with the January 2020 updates as soon as possible.
These patches should be considered urgent. If it’s difficult to apply them to all affected devices immediately, prioritise the devices that are:
- exposed to the internet – especially if running RDP
- used by administrators and high-privileged users, or
- used for business-sensitive purposes.
More information
Read more information on Microsoft’s website on each vulnerability:
- CVE-2020-0601 External Link
- CVE-2020-0609 External Link
- CVE-2020-0610 External Link
- CVE-2020-0611 External Link
NZ's NCSC have issued an advisory on the issue:
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
Report an incident to CERT NZ External Link
For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.