News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – forget that crypto one, worry about this one

    Posted on January 14th, 2020 at 21:41 Susan Bradley Comment on the AskWoody Lounge

    If you are a IT consultant or admin with an Essentials 2012 (or later) server, or use the RDgateway role and expose it over port 443 to allow users to gain access to RDweb or their desktops, forget that crypt32.dll bug.  This one is one to worry about.

    Impacts 2012 and above – so no impact to SBS 2011 or SBS 2008, yes to Essentials 2012 and higher.

    Essentials 2012 exposes RDgateway over port 443 and 3389 is not open to the web (well, not normally) but given that this is a pre-authentication exploit, all an attacker has to do is to throw that crafted request to port 443 rather than 3389 (assuming I’m reading this right).

    So if you patch SMB servers that use RDgateway, worry about patching those servers this time faster than you would normally do.

    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609

    A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

    To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.

    (edit:  for anyone asking, 2008 R2 is not vulnerable and thus SBS 2011 is not vulnerable.  It’s only vulnerable on Server 2012 and later, remember SBS 2011’s base operating system drops out of support today)