A remote code execution (RCE) exploit for Windows Remote Desktop Gateway (RD Gateway) was demoed by InfoGuard AG penetration tester Luca Marcelli, after a proof-of-concept denial of service exploit was released by Danish security researcher Ollypwn on Friday for the same pair of flaws.
The exploit targets the CVE-2020-0609 and CVE-2020-0610 bugs found in the Remote Desktop Gateway (RD Gateway) component on devices running Windows Server (2012, 2012 R2, 2016, and 2019).
Marcelli said that a blog post detailing how to achieve RCE with BlueGate is also incoming during the next few days but that he will "wait a bit until people had enough time to patch before releasing this to the public."
A video demo of Marcelli's RCE exploit for CVE-2020-0609 and CVE-2020-0610 in action is embedded below:
The BlueGate Windows RDP vulnerability
RD Gateway allows admins to allow connections coming from the Internet to access Remote Desktop servers on internal networks only after proper authentication.
The vulnerabilities — previously dubbed BlueGate by Ollypwn — are both pre-authentication remote code execution rated by Redmond as critical, and they were patched by Microsoft on January 14, as part of the January Patch Tuesday.
"A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests," Microsoft's security advisories explain.
Scanners for checking if a Windows Server system is vulnerable to CVE-2020-0609 and CVE-2020-0610 exploitation attempts were developed by both OllyPwn and KryptosLogic security researcher Marcus Hutchins.
As Hutchings warned though, "this is only a proof-of-concept and not designed for real-world use. Use at your own risk and only scan systems you have permission to test."
If successfully exploited, any of the two security flaws could enable unauthenticated attackers to execute arbitrary code on vulnerable unpatched systems.
Patch your Windows Servers
While attackers haven't yet started to actively scan for unpatched RDP Gateway servers, almost 20,000 of them are connected to the Internet according to a Shodan scan looking for servers with the 3391 UDP port open, the one used by RD Gateway's UDP transport affected by the bug.
This translates into thousands of potential targets for a threat actor who will either get their hands or develop a working RCE exploit for the two RD Gateway vulnerabilities in a matter of days.
You should immediately install the security updates Microsoft issued this month for the BlueGate flaw, available for download from here and here, to protect your servers against potential future attacks targeting unpatched RD Gateway services.
On devices where Microsoft's patches can't be installed, "you should apply other measurements such as disabling UDP traffic" to block BlueGate exploitation attempts Marcelli said.
"Simply disabling UDP Transport, or firewalling the UDP port (usually port 3391) is sufficient to prevent exploitation," Hutchins also explained in an analysis of the flaws.
This is because, as Hutchins further detailed, while "RDG supports the HTTP, HTTPS, and UDP protocols [...] the vulnerabilities only exist in the code responsible for handling UDP."
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now