The CISA has, as of January 2020, released an emergency directive that focuses on some critical vulnerabilities affecting Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client.
Keeping patches and security updates current is vital, especially for systems that have access to HIPAA-compliant databases. It seems that major exploits are revealed with almost every security update these days.
These vulnerabilities can result in disruption to the network, downtime, and loss or theft of sensitive information including patient and financial information. They effect essentially all Windows systems.
What are the Vulnerabilities?
The first vulnerability was discovered by the NSA, and is being tracked as CVE-2020-0601. It allows a potential attacker to spoof an Elliptic Curve Cryptography (ECC) certificate to execute malicious code, making the code look like it comes from a trusted source and show up to anti-virus software and end users as legitimate software.
The exploit completely bypasses the trust store. It could also be exploited in a man-in-the-middle attack, again using malicious certificates, in this case attached to a hostname that did not authorize it. There would be no warnings or alerts. The vulnerability could easily expose financial or patient data.
There are, as yet, no cases of the exploit showing up in the wild, but the NSA was sufficiently concerned to report the flaw to Microsoft.
The other vulnerabilities (CVE-2020-0609, CVE-2020-0610 and CVE 2020-0611) for remote code execution through Windows Remote Desktop client or RDP Gateway Server, without any need for authentication or user interaction. Clients are also vulnerable if the user can be convinced to connect to a malicious server.
Again, there are no active exploits in the wild, but it is likely only a matter of time. This vulnerability could be used to apply a DDOS attack, install programs, view and alter data or even create a new admin account you may not even know about.
Because of how easily this exploit can affect customer and patient data, you should fix it as soon as possible. It may also endanger employee financial and personal information.
What Systems are Affected?
The Windows Remote Desktop vulnerability affects all supported versions of Windows, the RDP Gateway Server vulnerability affects server 2012, 2016, and 2019, and the ECC certificate validation affects Windows 10, Server 2016, and Server 2019.
Essentially, any Windows system that relies on Windows encryption systems for certificate keys is potentially vulnerable and should be patched. CVE-2020-0611 also affects Windows 7 systems, which no longer receive security patches and should be decommissioned. (There is no patch being applied to Windows 7 for this vulnerability, but there is one for Windows 8.1 and Windows Server 2012. Windows Server 2012 is, however, reaching end of support with this patch).
The issue does not affect any non-Windows systems or mobile devices (although it's still important to keep all devices up to date). It may also be less critical if you use other means of encryption and certificate checking and have remote desktop capability disabled. However, unpatched systems are likely to be vulnerable to other exploits.
What Should you Do?
The first step is to make sure that the January 2020 Security Updates patch, which was released on the 14th of January 2020, is installed on all systems ASAP. The CISA directive requires that government agencies install the patch by January 29th, but you should install the patch immediately.
If you need to prioritize, prioritize system running Windows 10 or Server 2016/2019, as those are affected by the potentially more significant CVE-2020-0601 exploit. You should also prioritize critical infrastructure such as DNS and VPN servers, and computers used by administrators and other privileged users. However, ideally, you should apply the patch to all systems.
The patch also includes security updates for Internet Explorer, Microsoft Office, Microsoft Dynamics, and OneDrive for Android.
You might want to consider blocking access to UDP/3391 (the Remote Desktop Gateway port) if you are not using it, or as a temporary measure while patching systems. Moving forward, make sure that security patches are set to apply automatically on at least critical and internet-facing systems. In most cases, this should ensure patches are installed before exploits occur in the wild.
You should also patch new systems and systems that have been out of service before allowing them to be connected to your network. That is to say, you should connect the system independently to install the patch, and keep it off the network until the patch is in place, to reduce the risk of any malicious code spreading.
Installing the patch is critical, as many attackers will use new patches to reverse engineer the vulnerability they were created to block. There is no other mitigation, although the NSA has released a protocol which might be used to detect affected systems. As there are no exploits in the wild, there is no need to detect and remove existing malicious code, but the longer a system remains vulnerable the higher the likelihood of an exploit showing up.
The exploit is a timely reminder that critical patches should be applied as soon as they are released, ideally to all systems simultaneously. It is also a reminder that you should not keep unsupported operating systems that no longer receive patches in service, even if it means replacing devices.
Also, because the Remote Desktop Client vulnerability can use social engineering to trick users into connecting to a malicious server, this is also a reminder that you need to educate all employees, especially those who handle sensitive data, on basic cyber hygiene such as not clicking on links in emails. You should also take measures to reduce the risk of DNS poisoning.
The takeaway is that if you have not already installed the January security patch on all Windows systems, you should do so as soon as possible. In most cases security patches should be set up to apply automatically (while there may be good reasons to hold off on major updates, there is no reason not to install security patches).
For more advice on how to keep your systems protected from Windows and other vulnerabilities, contact WheelHouse IT today.