Executive Summary
- Yesterday, January 14th 2020 Microsoft published a security advisory and the patch, for a zero-day vulnerability CVE-2020-0601 which was disclosed recently by the National Security Agency – NSA. CVE-2020-0601 is a vulnerability in Windows CryptoAPI (Crypt32.dll) which is able to bypass and spoof the validation mechanisms of Elliptic Curve Cryptography (ECC) certificates.
- There is no available information that indicates active exploitation of this vulnerability in-the-wild, but its publication and level of severity will surely entice threat groups to leverage it.
- Organizations and individuals are urged to patch their systems as soon as possible. A patch was released by Microsoft.
Overview
The NSA disclosed a vulnerability, tracked as CVE-2020-0601, which affects the Windows CryptoAPI (Crypt32.dll). CryptoAPI handles cryptographic operations and is a very basic and widely used module in the Windows operating system.
The security advisory from Microsoft provides the following details:
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
The security update addresses the vulnerability by ensuring that Windows CryptoAPI properly validates ECC certificates.
What makes CVE-2020-0601 more severe and critical than others?
The vast majority of Windows software; be it security solutions, business applications, games, browsers, etc rely on Windows’ CryptoAPI to validate certificates. Certificates are used for code-signing files, establishing secure communications, identity authentication and more. CVE-2020-0601 compromises the integrity, and therefore the trust in one of the most fundamental identity and authentication mechanisms, which serves as the basis for multiple security boundaries across and between OS components, applications and entities.
Successful exploitation of this vulnerability would pose a severe security risk. If successfully exploited, it could enable an attacker to:
- Sign malicious executables with certificates which would appear to belong to highly trusted owners. For example, a file signed with a Microsoft certificate is assumed to have been developed by Microsoft, and as a result will be trusted by security programs and other components of the operating system.
- Fake certificates used to establish secured and encrypted communications. As a result, attackers could perform man-in-the-middle attacks or impersonations.
Is CVE-2020-0601 exploited and used in the wild?
According to the NSA and Microsoft, and all other available information, CVE-2020-0601 is not being currently exploited in the wild. Microsoft and the NSA have (for obvious reasons) still not provided detailed information regarding the technical aspects and root causes for the vulnerability, and therefore it remains unclear what is the level of skill, effort and resources needed to develop a successful exploit. At this point, we cautiously assume that it is not a trivial task and would require considerable resources and know-how. However, prominent threat groups, as well as state-level agencies will undoubtedly attempt to create an exploit as quickly as possible.
As part of the patch released for this vulnerability, Microsoft added a logging mechanism, which tracks attempts to exploit this vulnerability.
What to do?
CVE-2020-0601 is rare in its level of severity and criticality. It puts at risk common and widely adopted trust, authentication and privacy mechanisms which serve as pillars of the Windows eco-system. Patching systems as soon as possible is the safest and currently the only way to fully mitigate the risk posed by it. Deep Instinct recommends and urges its customers, all other organizations and individuals to update their Windows systems and apply the patch at the earliest time possible.