Skip to the content.

DIVD-2020-00003 - Microsoft RDP Gateway vulnerable for Bluegate RCE

Our reference DIVD-2020-00003
Case lead Barry van Kampen
Researcher(s)
CVE(s)
Product Microsoft Windows Server 2012, 2012R2, 2016 and 2019 with Remote Desktop Gateway
Versions Microsoft Windows Server 2012, 2012R2, 2016 and 2019
Recommendation Apply patches of Patch Tuesday January 2020
Patch status Available
Workaround Superceeded by patches
Status Closed
Last modified 12 Aug 2022 11:21 CEST

English below

Update 3-9-2020 21:12 Case Closed

Gezien de kleine hoeveelheid IP adressen die nog kwetsbaar zijn gaan we deze case afsluiten.

Update 3-2-2020 11:40

Op 3-2 hebben we opnieuw meldingen verstuurd over kwetsbare systemen. Wij hebben nog 281 kwetsbare systemen geidentificeerd.

NL results of vulnerable Remote Desktop Gateway systems

Samenvatting

In onze scans zijn er ruim 16.000 kwetsbare Microsoft RDP Gateway servers online gevonden, 1.137 van deze systemen staan in Nederland.

Inmiddels is er een Proof of Concept van de exploit uit, waarbij een aanvaller in staat is een systeem over te nemen.

Er is een grote waarschijnlijkheid dat de kwetsbaarheid misbruikt gaat worden door kwaadwillenden.

Wat kunt u doen?

We raden iedereen aan de volgende overweging te maken:

Wat doen wij?

Wij zijn op dit moment bezig de lijst met kwetsbare systemen te verwerken en gaan daarna proberen alle partijen in te lichten.

Timeline

Date Description
14-1-2020 Microsoft Patch Tuesday publiceert patches voor kwetsbaarheden CVE-2020-0609 en CVE-2020-0610
27-1-2020 POC waarmee systeem kan worden overgenomen aangekondigd
27-1-2020 Er wordt gestart met informeren van Nederlandse systeemeigenaren
28-1-2020 Schrijver van de POC kondigt aan dat er meer informatie volgt
29-1-2020 Advies voor herstarten toegevoegd
3-2-2020 Nieuwe ronde notificaties, nog 281 hosts kwetsbaar
9-3-2020 Case Closed
gantt title DIVD-2020-00003 - Microsoft RDP Gateway vulnerable for Bluegate RCE dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2020-00003 - Microsoft RDP Gateway vulnerable for Bluegate RCE (42 days) :2020-01-27, 2020-03-09 section Events Microsoft Patch Tuesday announced fixes for vulnerabilities {% cve CVE-2020-0609 %} and {% cve CVE-2020-0610 %} : milestone, 2020-01-14, 0d POC for RCE is announced : milestone, 2020-01-27, 0d Start informing Dutch vulnerable system owners : milestone, 2020-01-27, 0d POC owner announces more information soon : milestone, 2020-01-28, 0d Added advice to restart after patching : milestone, 2020-01-29, 0d Sent notifications for hosts still vulnerable, 281 hosts left : milestone, 2020-02-03, 0d Case Closed : milestone, 2020-03-09, 0d

A picture of a a blue and red gate in the sea


English

Update 9-3-2020 21:12

Considering the low amount of vulnerable IP addresses coming from our scans, we deciced to close this case.

Update 3-2-2020 11:40

On 3-2 we sent new notifications for hosts that are still vulnerable, 281 hosts left.

NL results of vulnerable Remote Desktop Gateway systems

Summary

Scans showed 16.000 vulnerable systems online, 1.137 of these systems are Dutch.

Since a POC video has been released we are assuming others with bad intentions are able to reproduce the POC as well.

There is a high chance systems will be attacked shortly.

What you can do

We recommend taking these steps:

What we are doing

We are currently processing the list of vulnerable RDP Gateway servers identified in our scan and will try to inform all affected parties.

Timeline

Date Description
14 Jan 2020 Microsoft Patch Tuesday announced fixes for vulnerabilities {% cve CVE-2020-0609 %} and {% cve CVE-2020-0610 %}
27 Jan 2020 POC for RCE is announced
27 Jan 2020 Start informing Dutch vulnerable system owners
28 Jan 2020 POC owner announces more information soon
29 Jan 2020 Added advice to restart after patching
03 Feb 2020 Sent notifications for hosts still vulnerable, 281 hosts left
09 Mar 2020 Case Closed
gantt title DIVD-2020-00003 - Microsoft RDP Gateway vulnerable for Bluegate RCE dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2020-00003 - Microsoft RDP Gateway vulnerable for Bluegate RCE (42 days) :2020-01-27, 2020-03-09 section Events Microsoft Patch Tuesday announced fixes for vulnerabilities {% cve CVE-2020-0609 %} and {% cve CVE-2020-0610 %} : milestone, 2020-01-14, 0d POC for RCE is announced : milestone, 2020-01-27, 0d Start informing Dutch vulnerable system owners : milestone, 2020-01-27, 0d POC owner announces more information soon : milestone, 2020-01-28, 0d Added advice to restart after patching : milestone, 2020-01-29, 0d Sent notifications for hosts still vulnerable, 281 hosts left : milestone, 2020-02-03, 0d Case Closed : milestone, 2020-03-09, 0d

Graph of vulnerable hosts in The Netherlands