• Login
  • Let's Talk
  • Login
  • Let's Talk
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Careers
    • Leadership
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Partners
    • Reseller Partners
    • Technology Partners
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Linkedin
  • Twitter
01.15.20

Vulnerability SPOT Report

SPOT Report - Microsoft Crypt32 Certificate Validation flaw

By Dave Farquhar

Overview

On January 14, 2020, the NSA and Microsoft disclosed a critical vulnerability in Microsoft’s CryptoAPI DLL, also known as crypt32.dll. This is a component in Windows used by the operating system and many Microsoft applications, including its web browsers. This flaw, CVE-2020-0601, was one of 50 fixed in Microsoft’s January 2020 Patch Tuesday release.

The affected component, crypt32.dll, improperly validates Elliptic Curve Cryptography certificates. Attackers could exploit this bug to do several things:

  • Spoof a code-signing certificate and secretly sign a file, making that file appear as if it is from a trusted source
  • Conduct man-in-the-middle attacks and decrypt confidential information
  • Spoof a digital certificate used to log on to systems using public key infrastructure, such as two-factor smartcard authorization used by government agencies

This vulnerability affects all builds of Windows 10 and Windows Server 2016, including Microsoft’s web browsers, Internet Explorer and Edge. The vulnerability received a great deal of speculation and publicity prior to its release.

Potential Impact

Microsoft’s write up was fairly vague, and Microsoft only rated it as Important. Depending on the use case, this could underestimate the potential impact. Google’s Tavis Ormandy confirmed the vulnerability affects anything using X.509, including TLS, code signing, digital certificates, and public key infrastructure.

The NSA was quick to caution the problem was not with PKI or cryptography as a whole, just a single implementation requiring a bug fix.

The Microsoft rating of Important has caused some organizations to downplay its importance. Organizations requiring PKI for two-factor single sign on would rate this much higher. For most organizations, deepwatch recommends ensuring this month’s updates go through your standard testing and deployment process. Getting the update deployed correctly is more important than getting it deployed quickly.

At present there are no known exploits for this vulnerability, which reduces the need to rush.

Mitigation

The only fully effective mitigation is to apply Microsoft’s January 2020 Patch Tuesday bundle. Fake patches specific to CVE-2020-0601 are already circulating, so be sure to use Microsoft’s official updates. The NSA stated some partial mitigations exist but stressed they are not effective.

Detection

Qualys has released QID 91595 and Tenable has released six plugins, 132857-132862, to detect CVE-2020-0601. You can conduct a scan using the specific QID or Plugin IDs, or use standard full vulnerability scan.

If you are a Vulnerability Management customer with deepwatch, please contact your Vulnerability Management SME in order to arrange a scan and identify any vulnerable systems. The Vulnerability Management SME will assist in developing a mitigation strategy and notify you when identifications are officially released.

Update

Soon after the publication of this report, two proof of concept attacks against this Microsoft CryptoAPI flaw, which some researchers are calling Curveball, appeared. The quick appearance of this code suggests the attack is simpler to exploit than it first appeared and raises the urgency. However, this flaw remains a larger problem for government entities than for the private sector. This flaw is also a bigger problem for workstations and external web servers running IIS than for internal servers, as one of the major problems, the breaking of TLS, is a bigger problem for systems that will be accessing the Internet.

Contributors

Dave Farquhar, Vulnerability Management Program Manager
Britton Grim, Vulnerability Management Program Manager

Supporting Information

  • https://portal.msrc.microsoft.com/en-us/security-guidance
  • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
  • https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2056772/a-very-important-patch-tuesday/
  • https://twitter.com/taviso/status/1217146026923978752
  • https://blog.talosintelligence.com/2020/01/microsoft-patch-tuesday-jan-2020.html
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Linkedin
  • Share by Mail

Subscribe to the deepwatch Insider Blog

Dave Farquhar

Dave Farquhar is deepwatch’s vulnerability management onboarding engineer. His background includes 10 years of patching experience and 10 years of security experience. After hours, he is a model train enthusiast and a prolific blogger.

Related Posts

Vulnerability SPOT Report

02.25.21

CVE-2021-21972 - Vulnerability Found in VMware vCenter Servers and Cloud Foundation

read more

Vulnerability SPOT Report

01.27.21

Sudo Vulnerability

read more

Vulnerability SPOT Report

11.04.20

Oracle WebLogic Vulnerability

read more

let’s talk.

let’s talk.

deepwatch delivers results-driven managed security services by extending customers’ cybersecurity teams and proactively advancing their SecOps maturity. Powered by its cloud SecOps platform, deepwatch is trusted by leading global organizations to provide 24/7/365 managed security services.

deepwatch Footer Certification Icons
TRUSTe
  • Linkedin
  • Twitter
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Partners
    • Reseller Partners
    • Technology Partners
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Contact
    • Let's Talk
    • Customers Login
    • Partner Login
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insights Blog
  • Partners
    • Reseller Partners
    • Technology Partners
Top

© Copyright 2021 deepwatch incorporated

Sitemap | Privacy Policy

Top
Scroll to top