Windows Update Warning

January 15, 2020, Mike Weber, Vice President, Coalfire Labs

Coalfire is issuing this notice to alert our clients about a very important set of updates that were issued by Microsoft, as well as a pre-release announcement released by Oracle. While these are commonly handled through modern enterprise patch management systems, we want to underscore the importance of the issues that were covered in this month’s update.

Within the “patch Tuesday” notice issued by Microsoft was a fix for CVE-2020-0601, which is a critical bug that impacts the Windows CryptoAPI. This vulnerability affects the way Microsoft Windows 10, or Server 2016 / 2019 validates ECC (elliptic curve cryptography) certificates.

Exploitation of this vulnerability could allow an attacker to compromise a system through a number of means, most notably by crafting a certificate that would be recognized as legitimate due to this flaw. This could be carried out to impersonate a website or service to convince a user that the connection is secure and of high integrity and HTTPS connections would be permitted to spoofed hosts.

This could also be exploited to impersonate internal bastion hosts serving as gateways to protected environments (such as a CDE). Alternatively, this could be exploited to sign malware, which would then bypass protections that enforce running software that has been signed by a recognized authority. There remains a wide variety of ways this could be exploited beyond these simple examples. Microsoft and the NSA advise patching immediately.

In the event automated, enterprise-wide systems are not available for patching en masse, it is recommended to take a prioritized approach to completing these patches. Start with internet-exposed systems that perform TLS validation and endpoints that host critical enterprise infrastructure, followed by systems that are used by privileged users or those that are otherwise directly connected to the internet.

NSA warns that in the event manual patches are required, organizations should expect to find compromised hosts. Remediation will be necessary.

https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

https://www.us-cert.gov/ncas/alerts/aa20-014a

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jan

Additionally, and not covered in the patch Tuesday bulletin but included in the update package, Microsoft also issued updates for CVE 2020-0609. This is a vulnerability that could result in remote code execution on Windows Remote Desktop Gateway, which occurs pre-authentication and could result in an attacker running code of their choice. This is also considered critical, and can be exploited remotely without any user interaction. It’s currently known to exploit older versions of the RD Gateway service, but should still be considered critical to patch, particularly for internet-exposed systems.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609

Finally, within the Oracle patch pre-release is news that 333 security vulnerabilities are being addressed. According to the pre-release notice, over 100 of the vulnerabilities can be remotely exploited without requiring user credentials. The array of products in this pre-release notice covers 23 application suites. They may not all be applicable to every environment, but we think it is appropriate to add to this security alert notification. We recommend keeping an eye out for when this security announcement and the related fixes are available.

https://www.oracle.com/security-alerts/cpujan2020.html

Mike Weber

Author

Mike Weber — Vice President, Coalfire Labs

Recent Posts

Post Topics

Archives

Tags

2.0 3.0 access Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff cloud CoalfireOne Compliance Covid-19 credit cards C-Store Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Ed Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi wireless women XSS
Top