Cybersecurity Threat Advisory 004-20: CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability
Multiple versions of Windows are susceptible to a spoofing vulnerability that could allow an attacker to modify TLS-encrypted communications or spoof an Authenticode signature. Microsoft has issued an update to fix the vulnerability which is available in the recommendations section below.
Technical detail and additional information
What is the threat?
A spoofing vulnerability currently exists in the way that Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability causes CryptoAPI to fail to validate ECC certificates in a fashion that properly utilizes the protection ECC should entail. This results in an attacker being able to create a spoofed certificate that appears to be trusted by CryptoAPI for their malicious executable. In addition to faking file signatures, this vulnerability can also be used to fake digital (SSL) signatures for use in encrypted communication. This vulnerability has been tracked as CVE-2020-0601 and marks the first time Microsoft has credited the National Security Agency (NSA) for reporting a bug.
Why is this noteworthy?
According to Microsoft’s security advisory, this vulnerability exists in all version of Windows 10, as well as Windows Server version 2016 and 2019. However, Windows 7 and Windows 8.1 are unaffected (Consequently Windows 7 is now End of Life, and will not be receiving any further support, and is at risk to other attacks). An attacker can exploit this vulnerability to sign their malicious executable to have it appear trusted and legitimate. From that point, the malicious executable could have been constructed in any number of ways that would cause significant damage. Microsoft has called specific mentioned to these applications being used to “conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”
What is the exposure or risk?
By leveraging this vulnerability an attacker can spoof a digital signature to disguise their potentially malicious application as legitimate. This means that potentially any application that relies on the Windows “CertGetCertificateChain()” to determine if an X.509 certificate is from a trusted Certificate Authority (CA) is at risk of incorrectly trusting the provided certificate. If a malicious application is incorrectly identified as trustworthy and ran, your machine would be exposed to whatever malicious function the actor has created it to perform. Additionally, this spoofed certificate can be used to allow an attacker to access encrypted communication, potentially performing a man-in-the-middle (MitM) attack to steal or modify information thought to be secure.
What are the recommendations?
Microsoft released a critical security update that remediates this vulnerability. Simply update your Windows machines when prompted automatically or visit the following link to do so manually.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.