Threat and vulnerability management

Windows Update Warning

Coalfire is issuing this notice to alert our clients about a very important set of updates that were issued by Microsoft, as well as a pre-release announcement released by Oracle. While these are commonly handled through modern enterprise patch management systems, we want to underscore the importance of the issues that were covered in this month’s update.

Within the “patch Tuesday” notice issued by Microsoft was a fix for CVE-2020-0601, which is a critical bug that impacts the Windows CryptoAPI. This vulnerability affects the way Microsoft Windows 10, or Server 2016 / 2019 validates ECC (elliptic curve cryptography) certificates.

Exploitation of this vulnerability could allow an attacker to compromise a system through a number of means, most notably by crafting a certificate that would be recognized as legitimate due to this flaw. This could be carried out to impersonate a website or service to convince a user that the connection is secure and of high integrity and HTTPS connections would be permitted to spoofed hosts.

This could also be exploited to impersonate internal bastion hosts serving as gateways to protected environments (such as a CDE). Alternatively, this could be exploited to sign malware, which would then bypass protections that enforce running software that has been signed by a recognized authority. There remains a wide variety of ways this could be exploited beyond these simple examples. Microsoft and the NSA advise patching immediately.

In the event automated, enterprise-wide systems are not available for patching en masse, it is recommended to take a prioritized approach to completing these patches. Start with internet-exposed systems that perform TLS validation and endpoints that host critical enterprise infrastructure, followed by systems that are used by privileged users or those that are otherwise directly connected to the internet.

NSA warns that in the event manual patches are required, organizations should expect to find compromised hosts. Remediation will be necessary.

Additionally, and not covered in the patch Tuesday bulletin but included in the update package, Microsoft also issued updates for CVE 2020-0609. This is a vulnerability that could result in remote code execution on Windows Remote Desktop Gateway, which occurs pre-authentication and could result in an attacker running code of their choice. This is also considered critical, and can be exploited remotely without any user interaction. It’s currently known to exploit older versions of the RD Gateway service, but should still be considered critical to patch, particularly for internet-exposed systems.

Finally, within the Oracle patch pre-release is news that 333 security vulnerabilities are being addressed. According to the pre-release notice, over 100 of the vulnerabilities can be remotely exploited without requiring user credentials. The array of products in this pre-release notice covers 23 application suites. They may not all be applicable to every environment, but we think it is appropriate to add to this security alert notification. We recommend keeping an eye out for when this security announcement and the related fixes are available.