Arraya Insights | January 27, 2020
Heads up: Microsoft and the National Security Agency (NSA) just sounded the alarm on a newly-discovered Windows vulnerability, one that has left potentially hundreds of millions of devices open to attack. Designated CVE-2020-0601, it affects certificate validation within devices running Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server version 1803. Essentially, attackers leveraging this exploit could easily convince an affected device that a malicious application was actually something legitimate. Or, they could also use it to launch man-in-the-middle attacks by spoofing secure HTTPS connections or impersonating verified email addresses.
This is a big deal, though there is some minor disagreement over just how big. NSA didn’t hesitate to designate it as a “critical” vulnerability, one which needs to be addressed “as soon as possible.” Meanwhile, Microsoft classified the threat as “important” due to the fact that it hadn’t “yet” witnessed any malicious actors exploiting the vulnerability in the wild. “Yet,” of course, seeming to be the operative word in that sentence.
Although CVE-2020-0601 is the most talked about vulnerability in recent news, two other vulnerabilities may be just as bad or worse for your organization. CVE-020-0609 and CVE-2020-0610 allow remote code execution for Windows RDP Gateway Servers. This allows an attacker to run code without logging in and without user interaction.
No organization wants to find it’s become the first victim of any of these bugs – or a victim at all. Luckily, the recommended resolution is straightforward enough. Organizations can protect themselves simply by making sure they have installed all of Microsoft’s Patch Tuesday updates so far from January 2020. For some, it’s the scope of the vulnerability that could prove problematic. Those without a way of automatically pushing out updates organization-wide – or the support of, say, a technology partner able to handle patching duties – are suddenly facing quite a bit of unanticipated manual work.
Responding to vulnerabilities like CVE-2020-0601
NSA issued guidance on how to best structure those preventative efforts moving forward to organizations who find themselves in that boat. High priority items should include anything providing mission-critical or at least “broadly-relied upon” services as well as devices that are most likely to be exploited. The agency made particular note of:
- Windows-based web appliances, servers, or proxies dealing with TLS validation
- Endpoints hosting key infrastructure (e.g., domain controllers, DNS servers, update servers, VPN servers, IPSec negotiation, etc.)
- Internet-facing endpoints
- Endpoints regularly used by privileged users (e.g., administrators, executive leaderships, etc.)
While it can be helpful to prioritize, NSA is quick to point, directly out under its own version of the above list, that: “Applying patches to all affected endpoints is recommended, when possible, over prioritizing specific classes of endpoints.”
Next Steps: Take immediate action to keep your organization safe
Even though there have been no recorded exploits of CVE-2020-0601 as of yet, it’s best not to let risks like these linger. Organizations should take immediate action and patch their systems. Furthermore, administrators must also be prepared to execute containment and remediation activities in the event that their system has indeed been compromised.
Need a hand deploying patches, scanning your network for malicious activity, or conducting cleanup efforts? Arraya’s Cyber Team (ACT) can help. ACT provides the tools, techniques, or in-the-field talent your organization needs to defend itself against threats like CVE-2020-0601 and beyond. You can open a line of dialogue with them today by visiting: https://www.arrayasolutions.com/contact-us/.
We want to hear from you! Leave us a comment on this or any of our blog posts by way of social media. Arraya can be found on LinkedIn, Twitter, and Facebook. While you’re there, follow us to stay up to date on our industry insights and unique IT learning opportunities.