The new year is upon us and Microsoft has slammed the industry with the disclosure of CVE-2020-061, a highly critical flaw in the cryptographic library for Windows. Putting Windows 10, Server 2016 and Server 2019 at critical risk.
CVE-2020-0601 Spoofing Vulnerability in Windows CryptoAPI
The new year is upon us and Microsoft has slammed the industry with the disclosure of CVE-2020-061, a highly critical flaw in the cryptographic library for Windows. The patch was first passed off secretly to the U.s. Military branches with signed Non-Disclosure Agreements until patches were released on January 14th (Patch Tuesday). However, as we all know, nothing remains a secret very long. Surprising a Senior Vulnerability Analyst with CERT was the first to leak an innuendo that lead to the early release of information.
On January 13th Will Dormann, senior vulnerability analyst with CERT, commented in a tweet that people should pay close attention to the updates this month.
I get the impression that people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others.
I don’t know… just call it a hunch?
— Will Dormann (@wdormann) January 13, 2020
Shortly after that Brian Krebs, an investigative journalist tweeted a warning about “an extraordinarily scary flaw in all Windows versions”.
Sources say Microsoft on Tuesday will fix an extraordinarily scary flaw in all Windows versions, in a core cryptographic component that could be abused to spoof the source of digitally signed software. Apparently DoD & a few others got an advance patch https://t.co/V6PByhjTNR
— briankrebs (@briankrebs) January 13, 2020
On January 14th Brian Krebs tweeted out a comment from the NSA’s Director of cybersecurity affirming that the flaw only affect Windows 10 and Windows 2016, making trust vulnerable. This is not all inclusive as Microsoft also lists Server 2019 as vulnerable to the flaw.
NSA’s dir. of cybersecurity Anne Neuberger says the critical cryptographic vulnerability resides in Windows 10 and Windows Server 2016, and that the concern about this particular flaw is that it “makes trust vulnerable.”
— briankrebs (@briankrebs) January 14, 2020
CVE-2020-0601 is a spoofing vulnerability in crypt32.dll, a core cryptographic module in Microsoft Windows responsible for implementing certificate and cryptographic messaging functions in Microsoft’s CryptoAPI.
According to the NSA (credited with the discovery of this vulnerability), successful exploitation of this vulnerability would allow attackers to deliver malicious code that appears to be from a trusted entity. The analysis notes some examples of where validation of trust would be impacted:
- HTTPs connections
- Signed files and emails
- Signed executable code launched as user-mode processes
Because CVE-2020-0601 reportedly bypasses Windows’ capability to verify cryptographic trust, an attacker could pass malicious applications off as legitimate, trusted code, putting Windows hosts at risk. An attacker would need to compromise a system in another fashion to deploy malware that exploits this vulnerability. They would likely either use common phishing tactics to trick a trusted user into interacting with a malicious application or use a man-in-the-middle attack through another compromised device in the environment to spoof an intercepted update and replace it with malware.
Microsoft has stated that they’ve seen no active exploitation of this vulnerability so far. However, the vulnerability is labeled as ‘Exploitation More Likely’