Logo
Get A Demo

This content was originally published by Skybox Security and has been preserved here on tufin.com for posterity.

Over the last week, a couple of Microsoft zero-day vulnerabilities have been reported. The first is a denial-of-service flaw which lives in SymCrypt, the main cryptography library for the Windows operating system. The second exists in Microsoft Remote Desktop and, if exploited, could allow remote RDP servers to execute arbitrary code to gain access to deleted objects.

SymCrypt: The First of Two Microsoft Zero-Day Vulnerabilities

Certificates embedded in any communication which reaches Windows servers are only as strong as the math that verifies them. Which may sound rock solid, if it wasn’t for the fact that Google Project Zero bug finder Tavis Ormandy discovered a flaw in that math on March 13. This is a vulnerability which, if exploited, can lead to certain certificates entering into an infinite loop, rendering the server unresponsive.

A server that relies on SymCrypt – including very common IIS and Exchange Server – can be forced into this loop if it receives an email or signature with a certificate attached that verifies it. Bear in mind that this is only the case if the certificate has been crafted to contain specific data patterns like those made public this week.

The open source repository for the underlying crypto library reports that the vulnerability has been present for some, if not all, cryptographic processing in Windows 8 and Windows 10 as of version 1703.

This is How We Came to Learn About the SymCrypt Zero-Day

After Ormandy discovered the vulnerability, he maintained the professional-collaborative convention by giving Microsoft a 90-day head start before making a public disclosure about the vulnerability. Although Ormandy was assured that Microsoft would address the vulnerability in its scheduled June patches, the 90-day grace period passed on June 11.

The bug finder chose to take the report and reproduction details public – doing so forms part of Project Zero’s policy and the automated bug management system that is subject to it. However, due to Microsoft’s apparent good faith effort to find a fix, this action garnered some criticism. In response to his critics, Ormandy stated that he would have extended the deadline had Microsoft promised to create a patch within 120 days.

To date no patch has been made available, but this is likely to change in the near future: Ormandy shared on June 11 that the Microsoft Security Response Center (MSRC) had, “reached out and noted that the patch won’t ship today and wouldn’t be ready until the July release due to issues found in testing.”

The RDP Zero-Day Vulnerability Could Lead to Authentication Bypass

Microsoft Remote Desktop is a widely used built-in application that’s used by many to treat their own Windows computer as a transparent overlay for another machine. Considering how popular it is, the revelation that it contains a vulnerability which, when exploited, could lead to authentication bypass will raise some significant concerns.

The flaw has been present in Windows 10 since version 1803. It can also be found in handle-locked client sessions within Windows Server 2019, but only when they are connected to a remote machine over RDP. The vulnerability works either when the user has locked a session, or it has been locked automatically. When recovering from a network disconnect, Windows will unlock the session without triggering any additional authentication commands on its own, or from multi-factor services.

This means that a malicious actor with direct access to a Windows computer – or its network connection – that has an ongoing RDP session can proactively interrupt its connection to trigger the reopening of the RDP session with the user already logged in.

How Did Microsoft Respond?

The vulnerability, called CVE-2019-9510, was discovered, analyzed, and reported by the cybersecurity non-profit CERT/CC. For their part, Microsoft has investigated the scenario and determined that t the vulnerability isn’t a bug. Instead, they have shared that it’s part of “Windows Server 2019 honoring Network Level Authentication (NLA)” – in other words, it’s a feature. Which means that a patch will not be forthcoming.

From their perspective, they believe that it’s the user and the client machine’s responsibility to manage RDP sessions. Windows just implemented RDP: in Microsoft’s eyes, their hands are clean.

  1. Home
  2. Blog
  3. Two New Microsoft Zero-Day Vulnerabilities Revealed in One Week
How Can I Transition to Tufin?

Check out Tufin's ExpressPath Program for former Skybox customers.

Learn More

In this post:

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest

Related Posts

Network Modeling: Why Visibility Is the Key to Securing Your Networks
Network Modeling: Why Visibility Is the Key to Securing Your Networks
2025 Prediction: The Rise of Multi-Disciplinary Professionals in Cybersecurity
2025 Prediction: The Rise of Multi-Disciplinary Professionals in Cybersecurity
Microsoft Zero-Days November Patch Tuesday Vulnerabilities: How to Defend Against CVE-2024-43451 and CVE-2024-49039
Microsoft Zero-Days November Patch Tuesday Vulnerabilities: How to Defend Against CVE-2024-43451 and CVE-2024-49039
2024 Vulnerability and Threats Trends Report Highlights the Escalating Battle Security Teams Face
2024 Vulnerability and Threats Trends Report Highlights the Escalating Battle Security Teams Face

Top Posts

How to Perform a Firewall Audit – Policy Rules Review Checklist
How to Perform a Firewall Audit – Policy Rules Review Checklist
Understanding AWS Route Table: A Practical Guide
Understanding AWS Route Table: A Practical Guide
What is a Firewall Ruleset? How can it help me?
What is a Firewall Ruleset? How can it help me?
Inbound vs Outbound Firewall Rules: Simplifying Network Security
Inbound vs Outbound Firewall Rules: Simplifying Network Security
English
Close