CVE-2020-0637: Remote Desktop Web Access Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 5.7)

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Patch Tuesday

2020-Jan

Released

2020-01-14

EPSS Score

13.86% (percentile: 94.3%)

Description

An information disclosure vulnerability exists when Remote Desktop Web Access improperly handles credential information. An attacker who successfully exploited this vulnerability could obtain legitimate users' credentials. To exploit this vulnerability, an attacker would need access to a vulnerable server with the Remote Desktop Web Access role. The security update addresses the vulnerability by correcting how Remote Desktop Web Access handles credential information.

FAQ

What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.

Affected Products (10)

Windows

• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)

ESU

• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Security Updates (8)

• 4534273
• 4534271
• 4534310
• 4534314
• 4534283
• 4534288
• 4534297
• 4534309

Acknowledgments

<a href="https://www.linkedin.com/in/bence-bálint-47286a150">Bence Bálint</a>

Revision History

• 2020-01-14: Information published.