As part of the first “Tuesday of updates” this year, Microsoft specialists also fixed two critical vulnerabilities that affect Windows Server 2012, 2016 and 2019: CVE-2020-0609 and CVE-2020-0610. According to the company, the component Windows Remote Desktop Gateway (RD Gateway, formerly Terminal Services Gateway) is vulnerable to remote code execution, which allows attackers to capture vulnerable Windows servers through RDP and specially created requests.
First technical analysis These problems were published by information security specialist Marcus Hutchins (aka MalwareTech), who also unveiled scanner source code to check servers for vulnerabilities.
Other researchers have now introduced the first exploits for fresh vulnerabilities. So, the first was a Danish specialist, known under the pseudonym Ollypwn. He called a pair of vulnerabilities by a common name. Bluegate and last week released PoC exploits for CVE-2020-0609 and CVE-2020-0610, which can provoke a denial of service (DoS).
Then InfoGuard AG expert Luca Marcelli demonstrated his own exploit, but already providing remote code execution. So far, Marcelli’s exploit code has not yet been published in the public domain, as the specialist is working on a full-fledged article for his blog and wants to give users more time to install patches. However, a demonstration of the exploit can be seen below.
Ladies and gentlemen, I present you a working Remote Code Execution (RCE) exploit for the Remote Desktop Gateway (CVE-2020-0609 & CVE-2020-0610). Accidentally followed a few rabbit holes but got it to work! Time to write a blog post ?
Don't forget to patch! pic.twitter.com/FekupjS6qG
– Luca Marcelli (@layle_ctf) January 26, 2020
Although the attackers have not yet begun to actively search and try to attack vulnerable servers, according to Shodan, there are almost 20,000 of them, so attacks are unlikely to be long in coming.