Attacker Value
Very High
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

Windows Remote Desktop Gateway RCE (CVE-2020-0609)

Last updated February 24, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.

The update addresses the vulnerability by correcting how RD Gateway handles connection requests.

(Description copy-pasted entirely from Microsoft’s CVE description)

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

First, note that this vuln is in RDP Gateway, not RDP Server, and those are different things. RDGateway is less common than plain ol’ RDP Server, but my guess is that it is designed to be deployed right smack on the internet, where we tend to advise people against deploying RDP Server on the internet (people do anyway, but thats-none-of-my-business.jpg).

Anyway, because it’s RD Gateway, the maintainers of such servers probably are already aware that they need to keep up on their patches in the same way a typical IIS administrator does, so I’m not super worried about this bug — but it all depends on timely patches. Getting root on an RD Gateway server would be super useful for all sorts of internet crime, and this is an ideal sort of vulnerability for just that — pre-auth, on first connection.

2
Ratings
Technical Analysis

This is enabled by default in 2012 servers. It seems some folks have gotten RCE with this, though there are no public exploits. Further research may show this as being easier than it is at first assessment. https://social.technet.microsoft.com/wiki/contents/articles/10973.configuring-udp-support-on-the-rd-gateway-in-windows-server-2012.aspx

General Information

Additional Info

Technical Analysis