Bad Actors Tipped off by the NSA?

Bad Actors Tipped off by the NSA?

The new year is upon us and Microsoft has slammed the industry with the disclosure of CVE-2020-061, a highly critical flaw in the cryptographic library for Windows. Putting Windows 10, Server 2016 and Server 2019 at critical risk.

Sophos Anti-Virus Secrets
Server Supports Weak Diffie-Hellman Key Exchange
Security Incident Response and Data Acquisition

CVE-2020-0601 Spoofing Vulnerability in Windows CryptoAPI

The new year is upon us and Microsoft has slammed the industry with the disclosure of CVE-2020-061, a highly critical flaw in the cryptographic library for Windows. The patch was first passed off secretly to the U.s. Military branches with signed Non-Disclosure Agreements until patches were released on January 14th (Patch Tuesday). However, as we all know, nothing remains a secret very long. Surprising a Senior Vulnerability Analyst with CERT was the first to leak an innuendo that lead to the early release of information.

On January 13th Will Dormann, senior vulnerability analyst with CERT, commented in a tweet that people should pay close attention to the updates this month.

Shortly after that Brian Krebs, an investigative journalist tweeted a warning about “an extraordinarily scary flaw in all Windows versions”.

On January 14th Brian Krebs tweeted out a comment from the NSA’s Director of cybersecurity affirming that the flaw only affect Windows 10 and Windows 2016, making trust vulnerable. This is not all inclusive as Microsoft also lists Server 2019 as vulnerable to the flaw.

Summary

CVE-2020-0601 is a spoofing vulnerability in crypt32.dll, a core cryptographic module in Microsoft Windows responsible for implementing certificate and cryptographic messaging functions in Microsoft’s CryptoAPI.
According to the NSA (credited with the discovery of this vulnerability), successful exploitation of this vulnerability would allow attackers to deliver malicious code that appears to be from a trusted entity. The analysis notes some examples of where validation of trust would be impacted:

  • HTTPs connections
  • Signed files and emails
  • Signed executable code launched as user-mode processes

Because CVE-2020-0601 reportedly bypasses Windows’ capability to verify cryptographic trust, an attacker could pass malicious applications off as legitimate, trusted code, putting Windows hosts at risk. An attacker would need to compromise a system in another fashion to deploy malware that exploits this vulnerability. They would likely either use common phishing tactics to trick a trusted user into interacting with a malicious application or use a man-in-the-middle attack through another compromised device in the environment to spoof an intercepted update and replace it with malware.

Microsoft has stated that they’ve seen no active exploitation of this vulnerability so far. However, the vulnerability is labeled as ‘Exploitation More Likely’

COMMENTS

WORDPRESS: 1
  • Code Monkey

    Just to be clear the January 2020 Patch Tuesday fixes 49 security bugs, 8 of which are rated “critical”. There are two other critical bug that you shouldn’t take your eyes off that affects Server 2012 and Server 2016, Windows Remote Desktop Gateway (RD Gateway) component running on these systems is vulnerable to a remote code execution flaw that allows attackers to take over vulnerable Windows servers by initiating an RDP connection and sending specially crafted requests. CVE-2020-0609 and CVE-2020-0610