The NSA disclosed a vulnerability, tracked as CVE-2020-0601, which affects the Windows CryptoAPI (Crypt32.dll). CryptoAPI handles cryptographic operations and is a very basic and widely used module in the Windows operating system.
The security advisory from Microsoft provides the following details:
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
The security update addresses the vulnerability by ensuring that Windows CryptoAPI properly validates ECC certificates.
What makes CVE-2020-0601 more severe and critical than others?
The vast majority of Windows software; be it security solutions, business applications, games, browsers, etc rely on Windows’ CryptoAPI to validate certificates. Certificates are used for code-signing files, establishing secure communications, identity authentication and more. CVE-2020-0601 compromises the integrity, and therefore the trust in one of the most fundamental identity and authentication mechanisms, which serves as the basis for multiple security boundaries across and between OS components, applications and entities.
Successful exploitation of this vulnerability would pose a severe security risk. If successfully exploited, it could enable an attacker to:
Is CVE-2020-0601 exploited and used in the wild?
According to the NSA and Microsoft, and all other available information, CVE-2020-0601 is not being currently exploited in the wild. Microsoft and the NSA have (for obvious reasons) still not provided detailed information regarding the technical aspects and root causes for the vulnerability, and therefore it remains unclear what is the level of skill, effort and resources needed to develop a successful exploit. At this point, we cautiously assume that it is not a trivial task and would require considerable resources and know-how. However, prominent threat groups, as well as state-level agencies will undoubtedly attempt to create an exploit as quickly as possible.
As part of the patch released for this vulnerability, Microsoft added a logging mechanism, which tracks attempts to exploit this vulnerability.
What to do?
CVE-2020-0601 is rare in its level of severity and criticality. It puts at risk common and widely adopted trust, authentication and privacy mechanisms which serve as pillars of the Windows eco-system. Patching systems as soon as possible is the safest and currently the only way to fully mitigate the risk posed by it. Deep Instinct recommends and urges its customers, all other organizations and individuals to update their Windows systems and apply the patch at the earliest time possible.