This report is about a recently disclosed vulnerability found in various Microsoft products known as CVE-2020-0601 (CVE stands for Common Vulnerabilities and Exposures). The vulnerability stems from a component in Windows called Crypt32.dll which handles the code signing of certificate information. The vulnerability isn’t currently being exploited or scanned for in the wild, but a proof of concept exploit has been published.
Updates are available for the affected operating systems.
What are the Operating System/Software Versions Impacted?
An update from Windows is currently available for this vulnerability. While it may take time for your organization to test the patch, you are strongly encouraged to apply the update to avoid any future compromise.
Note: this vulnerability was disclosed by the National Security Agency (NSA).
The vulnerability is caused by the incorrect handling of the verification process used for ECC (Eleptic Curve Cryptography) within the CryptoAPI in Windows. Not all the ECC parameters are checked properly giving bad actors an opportunity to supply the generator value. The generator value is used to validate any certificate against a trusted certificate authority (CA). Successful exploitation of this vulnerability allows bad actors the ability to render TLS/SSL trust within Windows useless and may provide the opportunity for remote code execution under the right conditions.
Abuse of this vulnerability could result in a Man-in-the-Middle (MiTM) attack where critical communications can be decrypted. The following areas can be impacted by this vulnerability:
Microsoft Links:
Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
Microsoft Technical Security Notifications: https://www.microsoft.com/en-us/msrc/technical-security-notifications
Supporting Documentation:
CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601
SANS Blog Post: https://isc.sans.edu/forums/diary/CVE20200601+Followup/25714/
NSA Advisory: https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.