Emergency Directives from CISA and OCR to Abate Critical Windows Vulnerabilities

To avoid critical vulnerabilities exploitation, Microsoft has introduced patches to be used on all supported Windows versions that require prompt attention. Though there’s no report yet about vulnerabilities exploitation, the threat is real. Hence, the two agencies, Department of Homeland Security (DHS) and the Department of Health and Human Services (HHS), gave emergency directives to address the vulnerabilities.

Prompt Patching Required for Windows CryptoAPI Vulnerability

The National Security Agency (NSA) identified vulnerability CVE-2020-0601and notified Microsoft. The discovered vulnerability can impact Windows 10 and Server 2016/2019 systems. The flaw lies in the validation process of Elliptic Curve Cryptography (ECC) certificates by the Windows CryptoAPI. An attacker could remotely exploit the vulnerability and add malicious code on an ECC certificate making it appear as if a trusted company signed it.

The vulnerability may likewise be taken advantage of in a man-in-the-middle attack. Malicious certificates are issued for a hostname without proper authorization and there’s no warning given by the Windows CryptoAPI on applications and browsers. A remote attacker exploiting the flaw can decrypt, alter, or input data on user connections without being spotted.

No incidents of flaw exploitation have been documented, nonetheless, the NSA is convinced that eventually advanced persistent threat (APT) groups would be aware of the underlying dilemma and weaponize it, for that reason Microsoft was notified about the vulnerability.

NSA explained that not applying the patch could cause severe and extensive effects. It is possible that remote exploitation tools are going to be largely available shortly. Immediate patching is the sole mitigation for now and should be the main concentration of all network users.

Critical RCE Vulnerabilities in Windows Remote Desktop

Microsoft released patches to fix the three pre-authentication vulnerabilities in Windows Remote Desktop. An attacker could remotely exploit the two vulnerabilities (CVE-2020-0610 and CVE-2020-0609) and connect to servers and implement arbitrary code with no user interaction. After vulnerabilities exploitation, attackers could deploy programs, access, alter, or wipe off data, or make new accounts having administrator privileges. The vulnerabilities may be exploited by showing a specifically designed request to a vulnerable server.

An attacker could likewise take advantage of the third vulnerability (CVE-2020-0612) to launch a denial of service attack that will breakdown the RDP system.

The Windows Remote Desktop Client and RDP Gateway Server are affected by the vulnerabilities as well as all supported versions of Windows and Windows Server.

DHS and OCR’s Emergency Instructions

The Department of Homeland Security know the great risk of the vulnerabilities to the Federal organization. So, it presented an emergency directive (20-02) to all federal agencies to patch all affected systems within 10 business days and to use technical and/or management controls for fresh or previously disconnected endpoints.

Due to the risk of the vulnerabilities, the HHS’ Office for Civil Rights released its own emergency directive to both the healthcare and public sector. All entities must use the patches straight away to avert vulnerabilities exploitation.