January 14th, 2020: Today Microsoft released their monthly patches and amongst them were three critical Severity 1 issues that need your immediate attention. Businesses should invoke the Vulnerability Alert Management Process to triage these alerts, and immediately plan patching as soon as possible. Please consider this special blog advisory from CyberHoot as a very unusual circumstance and take appropriate action as soon as possible. To put this in perspective – ALL my cybersecurity sources are suggesting the same thing. Government cybersecurity watchdog entities such as CISA issued only its second Emergency Directive ever for these vulnerabilities. This is serious.
CryptoAPI spoofing vulnerability – CVE-2020-0601: This vulnerability affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019.
Windows RD Gateway and Windows Remote Desktop Client vulnerabilities – CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611: These vulnerabilities affect Windows Server 2012 and newer. In addition, CVE-2020-0611 affects Windows 7 and newer.
This section of the advisory outlines the potential impact if these vulnerabilities were exploited.
CryptoAPI spoofing vulnerability – CVE-2020-0601:
- This vulnerability allows unwanted or malicious software to masquerade as legitimate software authentically signed by a trusted or trustworthy organization. This could deceive users into installing malicious software that appears legitimate. It could also thwart protective software such as antivirus from detecting such installations as malicious in nature. Additionally, a browsers relying on Windows CryptoAPI would be blind to attacks, allowing an attacker to decrypt, modify, or inject data on user connections without detection.
Windows RD Gateway and Windows Remote Desktop Client vulnerabilities – CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611:
- These vulnerabilities allow for remote code execution, where arbitrary code could be run freely on both the RD Web Gateway and any client connecting to a malicious gateway. The server vulnerabilities do not require authentication [which is really bad] or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server. When combined, any RD Web gateway can be taken over to become a malicious server which then takes over all the connecting client machines. [did I say this was really bad?]
Is there any good news?
As a matter of fact yes. [whew!] These vulnerabilities were discovered and reported, for the first time, by the NSA, to Microsoft directly. This means we have a very small window upon which to apply these patches without a large risk of compromise.
However, a very small window of Internet time could mean days or weeks.
Why is that you ask?
By analyzing the patches Microsoft released today, bad actors can quickly identify what code was changed. The patches are like a treasure map for hackers to follow, via source code changes, reverse engineering them, until they find the vulnerability. Then they weaponize
it them. There is a race going on as we speak to identify and weaponize these vulnerabilities by nation states and hacker groups. We have days, maybe weeks, before these vulnerabilities are weaponized and begin to exploit your systems.
What should I do for my business?
- If you have a Vulnerability Alert Management Process, follow its guidelines for a Severity 1 set of vulnerabilities.
- Until you have patched all your systems. monitor the cybersecurity news blogs for any signs of exploit code entering the wild.
- If you don’t have a VAMP, then pull your technical team(s) together and come up with a plan to patch all your critical systems within 10 days (sooner if possible).
- For those of you without a defined patch management process, once you’ve completed this fire-drill, you should sign up for CyberHoot, download our VAMP and adapt it to your organization.
What should I do for myself Personally?
Your Windows version number may vary, but this is the update you want – go to Settings > Update & Security > Windows Update: