search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows Remote Desktop Gateway allows for unauthenticated remote code execution

Vulnerability Note VU#491944

Original Release Date: 2020-01-14 | Last Revised: 2020-01-18

Overview

Microsoft Windows Remote Desktop Gateway contains vulnerabilities that may allow a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

Description

Microsoft Windows Remote Desktop Gateway (RD Gateway) is a Windows Server component that provides access to Remote Desktop services without requiring the client system to be present on the same network as the target system. Originally launched as Terminal Services Gateway (TS Gateway) with Windows Server 2008, RD Gateway is a recommended way to provide Remote Desktop connectivity to cloud-based systems. For example, guidance has been provided for using RD Gateway with AWS, and also with Azure. The use of RD Gateway is recommended to reduce the attack surface of Windows-based hosts.

Microsoft RD Gateway in Windows Server 2012 and later contain two vulnerabilities that can allow an unauthenticated remote attacker to execute arbitrary code with SYSTEM privileges. It is reported by Kryptos Logic that the flaws lie in handling of fragmentation. This vulnerability is exploitable by connecting to the RD Gateway service listening on UDP/3391.

Impact

By sending a specially-crafted request to a Remote Desktop Gateway server, an unauthenticated remote attacker to execute arbitrary code with SYSTEM privileges.

Solution

Apply an update

This issue is addressed in the Microsoft updates for CVE-2020-0609 and CVE-2020-0610. If this update cannot be installed, consider the following workarounds:

Disable Remote Desktop Gateway UDP transport

This vulnerability can be mitigated by disabling the UDP transport for Remote Desktop Gateway.


Block access to UDP/3391 at the network level

This vulnerability can be mitigated by blocking access to the Remote Desktop Gateway UDP port, which is UDP/3391 by default.

Vendor Information

491944
 
Affected   Unknown   Unaffected

Microsoft

Updated:  January 14, 2020

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.8 E:POC/RL:OF/RC:C
Environmental 5.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2020-0609, CVE-2020-0610
Date Public: 2020-01-14
Date First Published: 2020-01-14
Date Last Updated: 2020-01-18 14:55 UTC
Document Revision: 40

Sponsored by CISA.