Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch SecOps Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Newsroom
    • Events
  • Search
  • Ready to Talk?
01.15.20

SPOT Report – Microsoft Crypt32 Certificate Validation flaw

By Dave Farquhar, 

Overview

On January 14, 2020, the NSA and Microsoft disclosed a critical vulnerability in Microsoft’s CryptoAPI DLL, also known as crypt32.dll. This is a component in Windows used by the operating system and many Microsoft applications, including its web browsers. This flaw, CVE-2020-0601, was one of 50 fixed in Microsoft’s January 2020 Patch Tuesday release.

The affected component, crypt32.dll, improperly validates Elliptic Curve Cryptography certificates. Attackers could exploit this bug to do several things:

  • Spoof a code-signing certificate and secretly sign a file, making that file appear as if it is from a trusted source
  • Conduct man-in-the-middle attacks and decrypt confidential information
  • Spoof a digital certificate used to log on to systems using public key infrastructure, such as two-factor smartcard authorization used by government agencies

This vulnerability affects all builds of Windows 10 and Windows Server 2016, including Microsoft’s web browsers, Internet Explorer and Edge. The vulnerability received a great deal of speculation and publicity prior to its release.

Potential Impact

Microsoft’s write up was fairly vague, and Microsoft only rated it as Important. Depending on the use case, this could underestimate the potential impact. Google’s Tavis Ormandy confirmed the vulnerability affects anything using X.509, including TLS, code signing, digital certificates, and public key infrastructure.

The NSA was quick to caution the problem was not with PKI or cryptography as a whole, just a single implementation requiring a bug fix.

The Microsoft rating of Important has caused some organizations to downplay its importance. Organizations requiring PKI for two-factor single sign on would rate this much higher. For most organizations, Deepwatch recommends ensuring this month’s updates go through your standard testing and deployment process. Getting the update deployed correctly is more important than getting it deployed quickly.

At present there are no known exploits for this vulnerability, which reduces the need to rush.

Mitigation

The only fully effective mitigation is to apply Microsoft’s January 2020 Patch Tuesday bundle. Fake patches specific to CVE-2020-0601 are already circulating, so be sure to use Microsoft’s official updates. The NSA stated some partial mitigations exist but stressed they are not effective.

Detection

Qualys has released QID 91595 and Tenable has released six plugins, 132857-132862, to detect CVE-2020-0601. You can conduct a scan using the specific QID or Plugin IDs, or use standard full vulnerability scan.

If you are a Vulnerability Management customer with Deepwatch, please contact your Vulnerability Management SME in order to arrange a scan and identify any vulnerable systems. The Vulnerability Management SME will assist in developing a mitigation strategy and notify you when identifications are officially released.

Update

Soon after the publication of this report, two proof of concept attacks against this Microsoft CryptoAPI flaw, which some researchers are calling Curveball, appeared. The quick appearance of this code suggests the attack is simpler to exploit than it first appeared and raises the urgency. However, this flaw remains a larger problem for government entities than for the private sector. This flaw is also a bigger problem for workstations and external web servers running IIS than for internal servers, as one of the major problems, the breaking of TLS, is a bigger problem for systems that will be accessing the Internet.

Contributors

Dave Farquhar, Vulnerability Management Program Manager
Britton Grim, Vulnerability Management Program Manager

Supporting Information

  • https://portal.msrc.microsoft.com/en-us/security-guidance
  • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
  • https://twitter.com/taviso/status/1217146026923978752
  • https://blog.talosintelligence.com/2020/01/microsoft-patch-tuesday-jan-2020.html

Subscribe to the Deepwatch Insights Blog

Post navigation

Previous post

SPOT Report – Citrix ADC & Gateway Vulnerability

Next post

SPOT Report – Cisco – CDPwn Vulnerabilities

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch SecOps Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Managed Extended Detection Response (MXDR)
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2023 Deepwatch incorporated

Trust | Sitemap | Privacy Policy