PoC Exploits Created for Recently Patched ‘BlueGate’ Windows Server Flaws
Proof-of-concept (PoC) exploits have been released for two recently patched Remote Desktop Gateway vulnerabilities that can be exploited for remote code execution.
Remote Desktop Gateway (RD Gateway) is a Windows Server component previously known as Terminal Services Gateway. The use of RD Gateway, which provides RDP routing, should reduce the attack surface as organizations don’t have to directly expose their RDP servers to the internet. Remote users connect to the gateway, which forwards RDP traffic to the desired address.
However, Microsoft researchers discovered that RD Gateway is affected by two critical memory corruption vulnerabilities that can be exploited by a remote, unauthenticated attacker to execute arbitrary code by sending specially crafted requests to the targeted system via RDP. No user interaction is required for exploitation.
The flaws, tracked as CVE-2020-0610 and CVE-2020-0609, affect Windows Server 2012, 2016 and 2019. Microsoft patched them with its January 2020 security updates, which the company released on January 14.
A technical analysis of the vulnerabilities was published just a few days later by researcher Marcus Hutchins and several PoC exploits have now been created.
Hutchins, aka MalwareTech, has made public the source code for a scanner that allows users to check if their servers are vulnerable.
A Denmark-based researcher who uses the online moniker Ollypwn has released a PoC exploit that uses CVE-2020-0609 and CVE-2020-0610 to cause a denial-of-service (DoS) condition. Ollypwn named the vulnerabilities BlueGate.
Researcher Luca Marcelli says he has created a working PoC that achieves remote code execution, but he has yet to make his exploit public. The expert will soon publish a blog post describing his work.
In his own blog post, Hutchins explained that the vulnerabilities affect the RD Gateway code responsible for handling UDP. RD Gateway also supports HTTP and HTTPS, and disabling UDP or firewalling the associated UDP port should be enough to prevent exploitation in the case of users who are unable to immediately install Microsoft’s patches.
It’s important that users take measures to prevent exploitation of these vulnerabilities since RDP-related weaknesses can be a tempting target for malicious actors. For example, hackers started exploiting the Windows Remote Desktop Services (RDS) vulnerability tracked as BlueKeep several months after Microsoft released a patch.