Barry van Kampen
Case file: DIVD-2020-00003
14 January 2020 – ‘Patch Tuesday’ – Microsoft published two patches for a vulnerability in Windows Remote Desktop Gateway. Microsoft researchers discovered that the RD Gateway had two memory corruption vulnerabilities (CVE-2020-0609 and CVE-2020-0610).
Remote Desktop Gateway is a Window Server component that provides RDP routing, Remote users can connect to the gateway to forward RDP traffic to the desired address. Rather than connecting directly to a RDP server, users connect and authenticate to the gateway. The idea is that only the gateway needs to be exposed to the internet.
The Remote Desktop Gateway supports HTTP, HTTPS, and UDP. An analysis of the patch showed that a function was modified in the UDP-protocol. The RDG-UDP protocol splits large messages in multiple UDP packets. These packets can arrive out of order. The job of the function is to ensure each packet ends up in the right place. The implementation of this function however contains an exploitable bug. It’s possible to write data after the end of the buffer in a more flexible way than a typical heap buffer overflow. Misuse of the vulnerability can lead to unavailability (Denial of Service) and the ability to execute arbitrary code on the system (RCE, Remote Command Execution).
24 January a scan by DIVD found about 1.137 vulnerable Dutch systems, of a total of about 16000 worldwide. 26 January a researcher (Ollypwn) published a working RCE-exploit for the vulnerabilities. It was suspected that it was already known to malicious parties. The next day the DIVD started to inform Dutch system administrators about this vulnerability.
A lot of system administrators responded with surprise that their systems were flagged as vulnerable because they already had patched their systems. After some additional DIVD-research, it was found that a reboot, or at least a restart of the Windows service was necessary to activate the patch. The DIVD discussed this issue with Microsoft.
It may be good to note that if it is impossible to install a patch, there is an easy way out by disabling UDP-transport, or firewalling the UDP port (usually port 3391).