10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.969 High
EPSS
Percentile
99.7%
New vulnerabilities are continually emerging, but the best defense against attackers exploiting patched vulnerabilities is simple: keep software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections:
The Cybersecurity and Infrastructure Security Agency (CISA) is unaware of active exploitation of these vulnerabilities. However, because patches have been publicly released, the underlying vulnerabilities can be reverse-engineered to create exploits that target unpatched systems.
CISA strongly recommends organizations install these critical patches as soon as possible—prioritize patching by starting with mission critical systems, internet-facing systems, and networked servers. Organizations should then prioritize patching other affected information technology/operational technology (IT/OT) assets.
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates ECC certificates.
According to Microsoft, “an attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.” Additionally, “a successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”[1]
A cyber attacker could exploit CVE-2020-0601 to obtain sensitive information, such as financial information, or run malware on a targeted system; for example:
The Microsoft Security Advisory for CVE-2020-0601 addresses this vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
The National Security Agency (NSA) provides detection measures for CVE-2020-0601 in their Cybersecurity Advisory: Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers.[2]
According to Microsoft, “A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction.”[3],[4]
CVE-2020-0609/CVE-2020-0610:
The Microsoft Security Advisories for CVE-2020-0609 and CVE-2020-0610 address these vulnerabilities.
According to Microsoft, “A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client.”[5]
CVE-2020-0611 requires the user to connect to a malicious server via social engineering, Domain Name Server (DNS) poisoning, a man-in the-middle attack, or by the attacker compromising a legitimate server.
The Microsoft Security Advisory for CVE-2020-0611 addresses this vulnerability.
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:
CISA strongly recommends organizations read the Microsoft January 2020 Release Notes page for more information and apply critical patches as soon as possible—prioritize patching by starting with mission critical systems, internet-facing systems, and networked servers. Organizations should then prioritize patching other affected IT/OT assets.
General Guidance
[1] Microsoft Security Advisory for CVE-2020-0601
[3] Microsoft Security Advisory for CVE-2020-0609
[4] Microsoft Security Advisory for CVE-2020-0610
[5] Microsoft Security Advisory for CVE-2020-0611
[6] CISA Blog: Windows Vulnerabilities that Require Immediate Attention
[7] CERT/CC Vulnerability Note VU#849224
[8] CERT/CC Vulnerability Note VU#491944
January 14, 2020: Initial version|January 14, 2020: Minor technical edits
csrc.nist.gov/publications/detail/sp/800-40/rev-3/final
kb.cert.org/vuls/id/491944/
kb.cert.org/vuls/id/849224/
media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
portal.msrc.microsoft.com/en-us/security-guidance
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Critical%20Vulnerabilities%20in%20Microsoft%20Windows%20Operating%20Systems+https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-014a
www.cisa.gov/blog/2020/01/14/windows-vulnerabilities-require-immediate-attention
www.cisa.gov/cyber-essentials
www.cisa.gov/insights
www.cisa.gov/publication/cisa-cyber-essentials
www.cisa.gov/publication/cisa-insights-publications
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-014a&title=Critical%20Vulnerabilities%20in%20Microsoft%20Windows%20Operating%20Systems
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-014a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-014a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Critical%20Vulnerabilities%20in%20Microsoft%20Windows%20Operating%20Systems&body=www.cisa.gov/news-events/cybersecurity-advisories/aa20-014a
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.969 High
EPSS
Percentile
99.7%