[German]A small security note for administrators running Windows (Essentials) Server 2012 and Windows Server 2016/2019 with the Remote Desktop Gateway role enabled If you want users to be able to access the RCE vulnerability CVE-2020-0609 on ports 443 and 3389, read the following notes on the RCE vulnerability CVE-2020-0609.
CVE-2020-0609 at Windows Server
I already became aware of the topic during a tweet from Woody Leonhard. Susan Bradley, who is working as an admin, immediately recognized the significance of the CVE-2020-0609 vulnerability.
— Woody Leonhard (@AskWoody) January 15, 2020
Susan Bradley writes about Essentials 2012 Server and higher – but according to Microsoft it concerns Windows Server 2012 and higher. Microsoft has issued security advisory CVE-2020-0609 | Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability.
A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.
The update addresses the vulnerability by correcting how RD Gateway handles connection requests.
Microsoft has released security updates for the affected server versions to close the vulnerability.
- Windows Server 2012: KB4534283 (Monthly Rollup), KB4534288 (Security-only)
- Windows Server 2012 R2: KB4534297 (Monthly Rollup), KB4534309 (Security-only)
- Windows Server 2016: KB4534271 (cumulative Update)
- Windows Server 2019: KB4534273 (cumulative Update)
With these updates the vulnerability could be patched – but read the instructions in the Known Issues sections of the KB articles first. Windows Server 2008/R2, which reached the end of support on Jan 14, 2020 (and also Small Business Server 2011) are not affected by this vulnerability.