Windows Remote Desktop Gateway RCE (CVE-2020-0609)

A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.

The update addresses the vulnerability by correcting how RD Gateway handles connection requests.

(Description copy-pasted entirely from Microsoft’s CVE description)

Recent assessments:

todb-r7 at January 14, 2020 8:46pm UTC reported:

First, note that this vuln is in RDP Gateway, not RDP Server, and those are different things. RDGateway is less common than plain ol’ RDP Server, but my guess is that it is designed to be deployed right smack on the internet, where we tend to advise people against deploying RDP Server on the internet (people do anyway, but thats-none-of-my-business.jpg).

Anyway, because it’s RD Gateway, the maintainers of such servers probably are already aware that they need to keep up on their patches in the same way a typical IIS administrator does, so I’m not super worried about this bug — but it all depends on timely patches. Getting root on an RD Gateway server would be super useful for all sorts of internet crime, and this is an ideal sort of vulnerability for just that — pre-auth, on first connection.

busterb at February 24, 2020 4:00pm UTC reported:

First, note that this vuln is in RDP Gateway, not RDP Server, and those are different things. RDGateway is less common than plain ol’ RDP Server, but my guess is that it is designed to be deployed right smack on the internet, where we tend to advise people against deploying RDP Server on the internet (people do anyway, but thats-none-of-my-business.jpg).

Anyway, because it’s RD Gateway, the maintainers of such servers probably are already aware that they need to keep up on their patches in the same way a typical IIS administrator does, so I’m not super worried about this bug — but it all depends on timely patches. Getting root on an RD Gateway server would be super useful for all sorts of internet crime, and this is an ideal sort of vulnerability for just that — pre-auth, on first connection.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4