Two New Microsoft Zero-Day Vulnerabilities Revealed in One Week
SkyBox Blog TeamJune 15, 2019
Over the last week, a couple of Microsoft zero-day vulnerabilities have been reported. The first is a denial-of-service flaw which lives in SymCrypt, the main cryptography library for the Windows operating system. The second exists in Microsoft Remote Desktop and, if exploited, could allow remote RDP servers to execute arbitrary code to gain access to deleted objects.
SymCrypt: The First of Two Microsoft Zero-Day Vulnerabilities
Certificates embedded in any communication which reaches Windows servers are only as strong as the math that verifies them. Which may sound rock solid, if it wasn’t for the fact that Google Project Zero bug finder Tavis Ormandy discovered a flaw in that math on March 13. This is a vulnerability which, if exploited, can lead to certain certificates entering into an infinite loop, rendering the server unresponsive.
A server that relies on SymCrypt – including very common IIS and Exchange Server – can be forced into this loop if it receives an email or signature with a certificate attached that verifies it. Bear in mind that this is only the case if the certificate has been crafted to contain specific data patterns like those made public this week.
The open source repository for the underlying crypto library reports that the the vulnerability has been present for some, if not all, cryptographic processing in Windows 8 and Windows 10 as of version 1703.
This is How We Came to Learn About the SymCrypt Zero-Day
After Ormandy discovered the vulnerability, he maintained the professional-collaborative convention by giving Microsoft a 90-day head start before making a public disclosure about the vulnerability. Although Ormandy was assured that Microsoft would address the vulnerability in its scheduled June patches, the 90-day grace period passed on June 11.
I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't.
— Tavis Ormandy (@taviso) June 11, 2019
The bug finder chose to take the report and reproduction details public – doing so forms part of Project Zero’s policy and the automated bug management system that is subject to it. However, due to Microsoft’s apparent good faith effort to find a fix, this action garnered some criticism. In response to his critics, Ormandy stated that he would have extended the deadline had Microsoft promised to create a patch within 120 days.
To date no patch has been made available, but this is likely to change in the near future: Ormandy shared on June 11 that the Microsoft Security Response Center (MSRC) had, “reached out and noted that the patch won’t ship today and wouldn’t be ready until the July release due to issues found in testing.”
The RDP Zero-Day Vulnerability Could Lead to Authentication Bypass
Microsoft Remote Desktop is a widely used built-in application that’s used by many to treat their own Windows computer as a transparent overlay for another machine. Considering how popular it is, the revelation that it contains a vulnerability which, when exploited, could lead to authentication bypass will raise some significant concerns.
The flaw has been present in Windows 10 since version 1803. It can also be found in handle-locked client sessions within Windows Server 2019, but only when they are connected to a remote machine over RDP. The vulnerability works either when the user has locked a session, or it has been locked automatically. When recovering from a network disconnect, Windows will unlock the session without triggering any additional authentication commands on its own, or from multi-factor services.
This means that a malicious actor with direct access to a Windows computer – or its network connection – that has an ongoing RDP session can proactively interrupt its connection to trigger the reopening of the RDP session with the user already logged in.
How Did Microsoft Respond?
The vulnerability, called CVE-2019-9510, was discovered, analyzed, and reported by the cybersecurity non-profit CERT/CC. For their part, Microsoft has investigated the scenario and determined that t the vulnerability isn’t a bug. Instead, they have shared that it’s part of “Windows Server 2019 honoring Network Level Authentication (NLA)” – in other words, it’s a feature. Which means that a patch will not be forthcoming.
From their perspective, they believe that it’s the user and the client machine’s responsibility to manage RDP sessions. Windows just implemented RDP: in Microsoft’s eyes, their hands are clean.
How Should Skybox Customers Manage the Microsoft Zero-Day Vulnerabilities?
The SymCrypt vulnerability is the more concerning of the two. There is currently no available patch – when this changes, the Skybox Vulnerability Dictionary will be updated. Until then, it’s recommended to block network access to the host at the relevant port by adding an access rule to the firewall(s). Additionally, if the service isn’t integral to your operations, you could remove it or shut it down. Or, alternatively, you could shield the vulnerability by enabling an IPS signature, if available.
The RDP vulnerability has a high CVSS score, but this should be taken with a pinch of salt. Although the consequences of an exploit are severe, there are a lot of hurdles for the attacker to jump over to get there: they need physical access to the machine, and they have a potentially very short window of time to engage the exploit. This means that the best way to prevent an attack is to protect against the physical misuse of your organization’s systems. Additionally, CERT/CC has suggested either disconnecting Remote Desktop sessions instead of pausing them, or disabling the automatic reconnection feature in Local Group Policy settings.
Threadkit, Formbook Exploit Old Microsoft Vulnerability – a case which shows the importance of applying patches when they’re released; even when they’re flagged as “non-critical”.
Oracle WebLogic Vulnerability Used for Cryptomining and Other Attacks – read about another vulnerability which was discovered last year and, if exploited, could lead to a DDoS attack