Microsoft RDP & Crypto API: new security vulnerabilities

On Tuesday, January 14, Microsoft released an update that fixes a major security flaw in the crypt32.dll software brick found in the most recent versions of Windows (Windows 10, Windows Server 2016 and Windows Server 2019). Another update, dated January 15, fixes another security flaw in the Remote Desktop Protocol (RDP).

In total, these vulnerabilities are affected by four different CVEs. Here is an update on the behaviour of Stormshield products.

 


CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability

This vulnerability impacts Windows 10, Windows Server 2016 and 2019 cryptographic engine, regarding validation of Elliptic Curve Cryptography (ECC) certificates. An attacker could make its target believe that a malicious file is legitime and signed by a trusted source.

Stormshield Data Security – threat management

As SDS partly relies on this Microsoft cryptographic library when connecting to LDAP servers, both SDS Enterprise and SDS Cloud and Mobility are impacted by this vulnerability.

However, the potential identified attack scenarios would require that the attacker is already able to get access to the Active Directory server, withenough rights to be able to modify the private key used by the server. In such a situation, the attacker would be able to perform many malicious actions even without exploiting this vulnerability.

Stormshield Endpoint Security – threat management

SES itself is not vulnerable.

SES won’t be able to detect an exploit of this specific vulnerability on a system at risk. However, once the malicious file is opened on a workstation protected by SES, the usual protections provided by SES will apply.

Stormshield Network Security – threat management

SNS itself is not vulnerable.


CVE-2020-0609 and CVE-2020-0610: Remote Desktop vulnerabilities (Remote Code Execution)

These vulnerabilities in Windows Server 2012 to 2019 Remote Desktop Gateway component can allow an attacker to execute some code on a vulnerable server using Microsoft Remote Desktop Protocol (RDP).

Stormshield Endpoint Security – threat management

SES HoneyPot Protection (HPP) and Ret-Lib-C Protection (RCP) block the usual techniques being used to exploit this kind of vulnerabilities.

Stormshield Network Security – threat management

To reduce the attack surface, several actions can be taken to limit the access to the RDP resources: only specific IP addresses, or only via the VPN SSL portal, VPN SSL tunnel or VPN IPSec Tunnel.
Please note that none will not prevent an authorized client to exploit the vulnerability and execute code to make modification of the server, which would not be allowed otherwise.


CVE-2020-0612: Remote Desktop vulnerability (Denial of Service)

This vulnerability in Windows Server 2016 and 2019 Remote Desktop Gateway component can allow an attacker to create a Denial of Service, preventing legitimate users to connect to the Remote Desktop gateway.

Stormshield Endpoint Security – threat management

SES is not able to block attacks exploiting this vulnerability.

Stormshield Network Security – threat management

As stated above, several actions can be taken to limit the access to the RDP resources and reduce the attack surface.


 

Regarding these three Remote Desktop vulnerabilities, you should also consider disabling UDP transport for the Remote Desktop Gateway service in your Windows server, as advised by CERT-FR.

In any case, it is strongly advised to apply Microsoft security updates to your servers and workstations as soon as possible.

Share on

Need help configuring your Stormshield products? Take a look at the Stormshield Technical Documentation site.

About the author

mm
Julien Paffumi
Product Management Leader, Stormshield

Julien made his first foray into Arkoon’s R&D as a quality engineer. He then directly trained administrators and acquired broad knowledge of their needs – an invaluable experience for his next role as Product Manager of Arkoon Fast360 firewalls, and then of the Stormshield Management Center centralised administration console. Eager to share what he has learned, Julien now works in continuous improvement for Product Management at Stormshield as a Product Management Leader. This cross-cutting role also feeds his never-ending curiosity thanks to its broader approach to Stormshield solutions.