Avertium Blog

The ABCs of CVE-2020-0601

Written by Marketing | Jan 21, 2020 11:26:00 AM

CVE-2020-0601 Overview

This report is about a recently disclosed vulnerability found in various Microsoft products known as CVE-2020-0601 (CVE stands for Common Vulnerabilities and Exposures). The vulnerability stems from a component in Windows called Crypt32.dll which handles the code signing of certificate information. The vulnerability isn’t currently being exploited or scanned for in the wild, but a proof of concept exploit has been published.

Updates are available for the affected operating systems.

What are the Operating System/Software Versions Impacted? 

  • Windows 10 (all versions)
  • Windows Server 2016 (all versions)
  • Windows Server 2019 (all versions)
  • Can affect any application that relies on Windows trust validation such as web servers, proxies, etc.

An update from Windows is currently available for this vulnerability. While it may take time for your organization to test the patch, you are strongly encouraged to apply the update to avoid any future compromise.

Note: this vulnerability was disclosed by the National Security Agency (NSA).

Tactics, Techniques, and Procedures

The vulnerability is caused by the incorrect handling of the verification process used for ECC (Eleptic Curve Cryptography) within the CryptoAPI in Windows. Not all the ECC parameters are checked properly giving bad actors an opportunity to supply the generator value. The generator value is used to validate any certificate against a trusted certificate authority (CA). Successful exploitation of this vulnerability allows bad actors the ability to render TLS/SSL trust within Windows useless and may provide the opportunity for remote code execution under the right conditions.

Impact

Abuse of this vulnerability could result in a Man-in-the-Middle (MiTM) attack where critical communications can be decrypted. The following areas can be impacted by this vulnerability:

  • Connections over HTTPS
  • Signed files and emails
  • Executables with signed code getting launched as user-mode processes

Recommendations

  • Use the Microsoft advisory link below to download the patch for this vulnerability
  • Be on the lookout for suspicious SSL/TLS connections using TLS inspection mechanisms in security appliances
  • Ensure your security appliances reject untrusted TLS certificates in your environment
  • Subscribe to the Microsoft Technical Security Notification system to stay up to date on security issues affecting Microsoft products
  • Utilize the Snort rule available to help detect any exploitation attempts (see link below)

Sources

Microsoft Links:

Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

Microsoft Technical Security Notifications: https://www.microsoft.com/en-us/msrc/technical-security-notifications

Supporting Documentation:

CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601

SANS Blog Post:  https://isc.sans.edu/forums/diary/CVE20200601+Followup/25714/

NSA Advisory: https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

 

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed detection and response service capabilities.