Please or Register to create posts and topics.

CVE-2020-0601 Spoofing Vulnerability in Windows CryptoAPI

The new year is upon us and Microsoft has slam industry by the disclosure of CVE-2020-061, a highly critical flaw in the cryptographic library for Windows.

On January 13th Will Dormann, senior vulnerability analyst with CERT, commented in a tweet that people should pay close attention to the updates this month.

Shortly after that Brian Krebs, an investigative journalist tweeted a warning about "an extraordinarily scary flaw in all Windows versions".

On January 14th Brian Krebs tweeted out a comment from the NSA's Director of cybersecurity affirming that the flaw only affect Windows 10 and Windows 2016, making trust vulnerable.

CVE-2020-0601 is a spoofing vulnerability in crypt32.dll, a core cryptographic module in Microsoft Windows responsible for implementing certificate and cryptographic messaging functions in Microsoft’s CryptoAPI.

According to the NSA (credited with the discovery of this vulnerability), successful exploitation of this vulnerability would allow attackers to deliver malicious code that appears to be from a trusted entity. The analysis notes some examples of where validation of trust would be impacted:

  • HTTPs connections
  • Signed files and emails
  • Signed executable code launched as user-mode processes

Because CVE-2020-0601 reportedly bypasses Windows’ capability to verify cryptographic trust, an attacker could pass malicious applications off as legitimate, trusted code, putting Windows hosts at risk. An attacker would need to compromise a system in another fashion to deploy malware that exploits this vulnerability. They would likely either use common phishing tactics to trick a trusted user into interacting with a malicious application or use a man-in-the-middle attack through another compromised device in the environment to spoof an intercepted update and replace it with malware.

Microsoft has stated that they’ve seen no active exploitation of this vulnerability so far. However, the vulnerability is labeled as ‘Exploitation More Likely’

Microsoft CVE-2020-0601

NSA Cybersecurity Advisory

List of Janurary 2020 Released Patches

The vulnerability affects Windows 10, Server 2016 and Server 2019.