Emergency Directives Issued by CISA and OCR to Mitigate Critical Windows Vulnerabilities

Microsoft has issued patches for several critical vulnerabilities in all supported Windows versions that require urgent attention to prevent exploitation. While there have been no reports of exploitation of the flaws in the wild, the seriousness of the vulnerabilities and their potential to be weaponized has prompted both the Department of Homeland Security (DHS) and the Department of Health and Human Services (HHS) to issue emergency directives about the vulnerabilities.

One of the vulnerabilities was discovered by the National Security Agency (NSA), which took the unusual step of reporting the vulnerability to Microsoft. This is the first time that a vulnerability has been reported by the NSA to a software vendor.

Windows CryptoAPI Vulnerability Requires Immediate Patching

The NSA-discovered vulnerability, tracked as CVE-2020-0601, affects Windows 10 and Server 2016/2019 systems. The vulnerability is due to how the Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. The flaw would allow a remote attacker to sign malicious code with an ECC certificate to make it appear that the code has been signed by a trusted organization.

The vulnerability could also be exploited in a man-in-the-middle attack. Malicious certificates could be issued for a hostname that did not authorize it and applications and browsers that rely on the Windows CryptoAPI would not issue any warnings or alerts. A remote attacker could exploit the flaw and decrypt, modify, or inject data on user connections undetected.

There are no reported cases of exploitation of the vulnerability, but the NSA believes it will not take long for advanced persistent threat (APT) groups to understand the underlying flaw and weaponize the vulnerability, hence the decision to report the flaw to Microsoft.

According to the NSA, “The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”

Critical RCE Vulnerabilities in Windows Remote Desktop

Three pre-authentication vulnerabilities in Windows Remote Desktop have been patched by Microsoft. Two of the vulnerabilities – CVE-2020-0609 and CVE-2020-0610 – could allow a remote attacker to connect to servers and remotely execute arbitrary code without any user interaction. After exploiting the flaws they could install programs, view, change, or delete data, or create new accounts with full admin rights. The flaws could be exploited by sending a specially crafted request to a vulnerable server.

The third vulnerability – CVE-2020-0612 – could be exploited in a similar fashion and could allow an attacker to perform a denial of service attack and crash the RDP system.

The vulnerabilities are present in the RDP Gateway Server and Windows Remote Desktop Client and affect all supported versions of Windows and Windows Server.

Emergency Directives Issued by DHS and OCR

The Department of Homeland Security has determined the vulnerabilities to pose an unacceptable risk to the Federal enterprise and has issued an emergency directive (20-02) to all federal agencies calling for the patches to be applied on all affected endpoints within 10 business days and for technical and/or management controls to be put in place for newly provisioned or previously disconnected endpoints.

The seriousness of the vulnerabilities has prompted the HHS’ Office for Civil Rights to issue an emergency directive of its own to the healthcare industry and public sector. All healthcare and public health entities have been advised to apply the patches as soon as possible to ensure the vulnerabilities are not exploited.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.