Patch IMMEDIATELY! - Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)

January 14, 2020

Summary

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.  This vulnerability affects the Microsoft Windows 10 desktop operating system, as well as Windows Server 2016 and 2019.

Microsoft has released a security update that addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

Impact

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. 

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on vulnerable systems. [1]  

By allowing the attacker to forge PKI certificates, the vulnerability can also allow attackers to spoof trusted entities, such as web sites or software companies, defeating trusted network connections (e.g., TLS validation) and appear to be coming from another site for phishing attacks. [2]

Vulnerable

  • Windows 10 for 32-bit Systems

  • Windows 10 for x64-based Systems

  • Windows 10 Version 1607 for 32-bit Systems

  • Windows 10 Version 1607 for x64-based Systems

  • Windows 10 Version 1709 for 32-bit Systems

  • Windows 10 Version 1709 for ARM64-based Systems

  • Windows 10 Version 1709 for x64-based Systems

  • Windows 10 Version 1803 for 32-bit Systems

  • Windows 10 Version 1803 for ARM64-based Systems

  • Windows 10 Version 1803 for x64-based Systems

  • Windows 10 Version 1809 for 32-bit Systems

  • Windows 10 Version 1809 for ARM64-based Systems

  • Windows 10 Version 1809 for x64-based Systems

  • Windows 10 Version 1903 for 32-bit Systems

  • Windows 10 Version 1903 for ARM64-based Systems

  • Windows 10 Version 1903 for x64-based Systems

  • Windows 10 Version 1909 for 32-bit Systems

  • Windows 10 Version 1909 for ARM64-based Systems

  • Windows 10 Version 1909 for x64-based Systems

  • Windows Server 2016

  • Windows Server 2016 (Server Core installation)

  • Windows Server 2019

  • Windows Server 2019 (Server Core installation)

  • Windows Server, version 1803 (Server Core Installation)

  • Windows Server, version 1903 (Server Core installation)

  • Windows Server, version 1909 (Server Core installation)

Recommendations

  • Patch vulnerable systems IMMEDIATELY.

  • System owners should prioritize patching endpoints that provide essential or broadly replied-upon services. Examples include: 

    • Windows-based web appliances, web servers, or proxies that perform TLS validation. 

    • Endpoints that host critical infrastructure (e.g. domain controllers, DNS servers, update servers, VPN servers, IPSec negotiation).

  • Prioritization should also be given to endpoints that have a high risk of exploitation. Examples include: 

    • Endpoints directly exposed to the internet. 

    • Endpoints regularly used by privileged users.

  • Notify security@berkeley.edu if you anticipate any delays in patching.

  • There are no known workarounds for this vulnerability. 

References

[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

[2] https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2056772/a-very-important-patch-tuesday/

[3] https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

[4] https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/