Critical Windows CryptoAPI Spoofing Vulnerability
When Microsoft released patches on January 14, 2020, it revealed one of the most critical vulnerabilities it has discovered in years. The company confirmed a serious security vulnerability in the way Windows CryptoAPI (Crypt.dll) validates Elliptic Curve Cryptography (ECC) certificates, disclosed to the company by the NSA. Given the severity of the vulnerability, Microsoft and the wider security community were unanimous in their immediate call to install the relevant patch - the only available mitigation at this time.
The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for authentication and other types of trust functionality. Regular internet users will recognize cryptographic certificates as the security mechanisms that keep them safe when browsing secure websites, such as banking websites. They can be recognized in internet browsers when browsing HTTPS URLs, usually witnessed with a padlock icon near the web address. As the DHS directive states:
“It bypasses the trust store, allowing unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization, which may deceive users or thwart malware detection methods like anti-virus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows’ CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.”
Patch Patch Patch
Given the severity of the vulnerability, it is highly recommended to review patching schedules to ensure that Microsoft’s most recent patches are installed as soon as possible. On 14 January, Microsoft claimed that there were no known attacks which had exploited CVE-2020-0601. However, with the vulnerability in the open, doubtless various threat actors will swiftly be building tools to exploit it, if they have not done so already. The NSA has already stated that “sophisticated cyber actors will understand the underlying flaw very quickly.” In a statement, a Microsoft Senior Director confirmed that those that are applying automatic updates should already be protected. In the event that enterprise wide, automated patching is not possible, the NSA has recommended system owners prioritize patching endpoints that provide essential or broadly relied-upon services.
In their advisory on the vulnerability, the NSA described the consequences of not patching as “severe and widespread.” Anne Neuberger, Head of the NSA’s Cyber Security Directorate, recommended that network owners, “expedite implementation of the patch immediately, as we will also be doing.” 1 At the time of writing, Microsoft and other cyber security providers claimed their updated software was able to detect and respond to malicious activity designed to exploit the vulnerability.