This report is about a recently disclosed vulnerability found in various Microsoft products known as CVE-2020-0601 (CVE stands for Common Vulnerabilities and Exposures). The vulnerability stems from a component in Windows called Crypt32.dll which handles the code signing of certificate information. The vulnerability isn’t currently being exploited or scanned for in the wild, but a proof of concept exploit has been published.
Updates are available for the affected operating systems.
What are the Operating System/Software Versions Impacted?
- Windows 10 (all versions)
- Windows Server 2016 (all versions)
- Windows Server 2019 (all versions)
- Can affect any application that relies on Windows trust validation such as web servers, proxies, etc.
An update from Windows is currently available for this vulnerability. While it may take time for your organization to test the patch, you are strongly encouraged to apply the update to avoid any future compromise.
Note: this vulnerability was disclosed by the National Security Agency (NSA).
Tactics, Techniques, and Procedures
The vulnerability is caused by the incorrect handling of the verification process used for ECC (Eleptic Curve Cryptography) within the CryptoAPI in Windows. Not all the ECC parameters are checked properly giving bad actors an opportunity to supply the generator value. The generator value is used validate any certificate against a trusted certificate authority (CA). Successful exploitation of this vulnerability allows bad actors the ability to render TLS/SSL trust within Windows useless and may provide the opportunity for remote code execution under the right conditions.
Abuse of this vulnerability could result in a Man-in-the-Middle (MiTM) attack where critical communications can be decrypted. The following areas can be impacted by this vulnerability:
- Connections over HTTPS
- Signed files and emails
- Executables with signed code getting launched as user-mode processes
- Use the Microsoft advisory link below to download the patch for this vulnerability
- Be on the look out for suspicious SSL/TLS connections using TLS inspection mechanisms in security appliances
- Ensure your security appliances reject untrusted TLS certificates in your environment
- Subscribe to the Microsoft Technical Security Notification system to stay up to date on security issues affecting Microsoft products
- Utilize the Snort rule available to help detect any exploitation attempts (see link below)
Microsoft Technical Security Notifications: https://www.microsoft.com/en-us/msrc/technical-security-notifications
Exploit Proof of Concept: https://github.com/ollypwn/cve-2020-0601
CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601
SANS Blog Post: https://isc.sans.edu/forums/diary/CVE20200601+Followup/25714/
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.