On January 2020 Patch Tuesday (01.14.2020) Microsoft released patches to address two vulnerabilities in Remote Desktop Gateway (RD Gateway) that affected Windows Server 2012, 2016, and 2019. The vulnerabilities have been collectively named BlueGate.
Exploitation of the vulnerabilities could lead to remote code execution. Microsoft recommended prompt patching to correct the flaws and now the urgency has increased as several proof-of-concept exploits for the vulnerabilities have now been published.
RD Gateway is a security feature that helps Windows users to reduce the risk of RDP attacks. Rather than expose their RDP servers to the internet, remote users connect to RD Gateway and traffic is forwarded to the correct address. However, the two memory corruption vulnerabilities – tracked as CVE-2020-0609 and CVE-2020-0610 – allow this security feature to be bypassed. No user interaction is required to exploit the flaws.
A remote attacker could send a specially crafted request to a targeted system via RDP, bypass authentication, and exploit the vulnerabilities. Successful exploitation would allow the execution of arbitrary code.
Businesses using one of the vulnerable Windows Server versions should apply the patches as soon as possible to prevent exploitation. At the time of writing there have been no known cyberattacks exploiting the vulnerabilities, but that is not likely to remain the case for long.
A proof-of-concept scanner has been developed by security researcher MalwareTech, aka Marcus Hutchins, which can be used to check an RD Gateway Server to determine whether the vulnerabilities have been patched. The source code for the scanner has been published in GitHub. Hutchins has also proposed a potential workaround on his blog to prevent exploitation of the flaws if the patches cannot be applied immediately: Disabling UDP or firewalling the associated UDP port.