{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-003.pdf"
    },
    "title": "Critical Vulnerabilities in Microsoft Windows",
    "serial_number": "2020-003",
    "publish_date": "15-01-2020 11:47:00",
    "description": "Several critical vulnerabilities affecting Microsoft Windows were patched on 14th of January 2020, as part of the regular patch Tuesday. Some the vulnerabilities are quite critical, so it is extremely important to apply the patches as soon as possible.<br><br>A vulnerability identified as CVE-2020-0601 is affecting the Microsoft Windows CryptoAPI enabling a malicious software to appear as authentically signed by a trusted or trustworthy organisation. Other vulnerabilities, identified as CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611 respectively, are affecting the Windows Remote Desktop Server and Client, and could lead to remote code execution.",
    "url_title": "2020-003",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities in\u00a0Microsoft\u00a0Windows'\nversion: '1.0'\nnumber: '2020-003'\ndate: 'January 15, 2020'\n---\n\n_History:_\n\n* _15/01/2020 --- v1.0 -- Initial publication_\n\n# Summary\n\nSeveral **critical vulnerabilities** affecting Microsoft Windows were patched on 14th of January 2020, as part of the regular _patch Tuesday_ [1]. Some the vulnerabilities are quite critical, so it is extremely important to **apply the patches as soon as possible**.\n\nA vulnerability identified as CVE-2020-0601 is affecting the Microsoft Windows CryptoAPI enabling a malicious software to appear as authentically signed by a trusted or trustworthy organisation. Other vulnerabilities, identified as CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611 respectively, are affecting the Windows Remote Desktop Server and Client, and could lead to remote code execution [2].\n\n# Technical Details\n\nThe vulnerability CVE-2020-0601 exists in the way the Microsoft Windows CryptoAPI (`crypt32.dll`) validates Elliptic Curve Cryptography certificates [1]. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.\n\nThe vulnerabilities CVE-2020-0609 and CVE-2020-0610 affecting the Windows Remote Desktop Gateway Server could allow remote code executions by an unauthenticated attacked thanks to specially crafted requests. These vulnerabilities do not require user interaction [3, 4]. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nThe vulnerability CVE-2020-0611 affecting the Windows Remote Desktop Client could allow a remote code execution on the client computer. To do so, an attacker needs to have control of a server and convince a user to connect to it. Then, the attacker could execute arbitrary code on the computer of the connecting client [5].\n\n# Affected Products\n\nAn overview of the affected products is presented below. For detailed list of affected versions, please consult [1, 3, 4, 5].\n\nMicrosoft Windows CryptoAPI vulnerability - CVE-2020-0601 [1]:\n\n* Windows 10 for 32-bit Systems and x64-based Systems\n* Windows Server 2016 and 2019\n\nWindows Remote Desktop Server vulnerabilities - CVE-2020-0609, CVE-2020-0610 [3, 4]:\n\n* Windows Server 2012, 2012 R2, 2016, and 2019\n\nWindows Remote Desktop Client vulnerability - CVE-2020-0611 [5]:\n\n* Windows 10 for 32-bit Systems and x64-based Systems\n* Windows 8.1 for 32-bit and x64-based Systems\n* Windows 7 for 32-bit and x64-based Systems (SP1)\n* Windows Server 2012, 2012 R2, 2016, and 2019\n* Windows Server 2008 R2 for Itanium-based and x64-based Systems Systems (SP1)\n\n# Recommendations\n\nMicrosoft has released patches to address these vulnerabilities. It is highly recommended to apply these critical patches as soon as possible, first on critical systems, internet-facing systems and network servers, and then on other affected assets.\n\nNSA has issued also its recommendations for mitigating actions [6], which may be used as a guideline if enterprise-wise automatic patching is not possible.\n\n# References\n\n[1] <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601>\n\n[2] <https://www.us-cert.gov/ncas/alerts/aa20-014a>\n\n[3] <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609>\n\n[4] <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610>\n\n[5] <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611>\n\n[6] <https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>15/01/2020 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>Several <strong>critical vulnerabilities</strong> affecting Microsoft Windows were patched on 14th of January 2020, as part of the regular <em>patch Tuesday</em> [1]. Some the vulnerabilities are quite critical, so it is extremely important to <strong>apply the patches as soon as possible</strong>.</p><p>A vulnerability identified as CVE-2020-0601 is affecting the Microsoft Windows CryptoAPI enabling a malicious software to appear as authentically signed by a trusted or trustworthy organisation. Other vulnerabilities, identified as CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611 respectively, are affecting the Windows Remote Desktop Server and Client, and could lead to remote code execution [2].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability CVE-2020-0601 exists in the way the Microsoft Windows CryptoAPI (<code>crypt32.dll</code>) validates Elliptic Curve Cryptography certificates [1]. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.</p><p>The vulnerabilities CVE-2020-0609 and CVE-2020-0610 affecting the Windows Remote Desktop Gateway Server could allow remote code executions by an unauthenticated attacked thanks to specially crafted requests. These vulnerabilities do not require user interaction [3, 4]. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p><p>The vulnerability CVE-2020-0611 affecting the Windows Remote Desktop Client could allow a remote code execution on the client computer. To do so, an attacker needs to have control of a server and convince a user to connect to it. Then, the attacker could execute arbitrary code on the computer of the connecting client [5].</p><h2 id=\"affected-products\">Affected Products</h2><p>An overview of the affected products is presented below. For detailed list of affected versions, please consult [1, 3, 4, 5].</p><p>Microsoft Windows CryptoAPI vulnerability - CVE-2020-0601 [1]:</p><ul><li>Windows 10 for 32-bit Systems and x64-based Systems</li><li>Windows Server 2016 and 2019</li></ul><p>Windows Remote Desktop Server vulnerabilities - CVE-2020-0609, CVE-2020-0610 [3, 4]:</p><ul><li>Windows Server 2012, 2012 R2, 2016, and 2019</li></ul><p>Windows Remote Desktop Client vulnerability - CVE-2020-0611 [5]:</p><ul><li>Windows 10 for 32-bit Systems and x64-based Systems</li><li>Windows 8.1 for 32-bit and x64-based Systems</li><li>Windows 7 for 32-bit and x64-based Systems (SP1)</li><li>Windows Server 2012, 2012 R2, 2016, and 2019</li><li>Windows Server 2008 R2 for Itanium-based and x64-based Systems Systems (SP1)</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Microsoft has released patches to address these vulnerabilities. It is highly recommended to apply these critical patches as soon as possible, first on critical systems, internet-facing systems and network servers, and then on other affected assets.</p><p>NSA has issued also its recommendations for mitigating actions [6], which may be used as a guideline if enterprise-wise automatic patching is not possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601\">https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.us-cert.gov/ncas/alerts/aa20-014a\">https://www.us-cert.gov/ncas/alerts/aa20-014a</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609\">https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610\">https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611\">https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0611</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF\">https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}