RDP Gateway Remote Code Execution Vulnerabilities

Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts:

Remote Desktop Gateway (RDG), provides routing for Remote Desktop (RDP). Users firstly connect to the gateway for authentication. Once authentication is successful, the gateway then forwards the RDP traffic to the address specified by the user. Therefore, only the gateway will be exposed to the internet, minimising the chance of the RDP servers being targeted for attack.

In the January 2020 security update, Microsoft addressed two vulnerabilities in remote desktop gateway (RDG). Both bugs, CVE-2020-0609 and CVE-2020-0610, allow for pre-authentication remote code execution.

The vulnerability affects Remote Desktop Gateway on Windows Server (2012, 2012 R2, 2016, and 2019) devices.

These vulnerabilities can be exploited by attackers without any user interaction [and] if successful an attacker can execute arbitrary code on the target system.

Mitigations

It is essential that you apply the latest Windows security updates to the applicable devices, you can navigate to https://support.microsoft.com/en-gb/help/4027667/windows-10-update to find out more. If, for whatever reason you are unable to install this patch, there is still a method to prevent the exploitation of these vulnerabilities. RDG supports three protocols: HTTP, HTTPS, and UDP. The vulnerabilities mentioned only exist in the code responsible for handling UDP protocols. By disabling UDP Transport or firewalling the UDP port (usually port 3391) it is possible to protect your devices from these vulnerabilities.