Microsoft CryptoAPI (CVE-2020-0601): NSA Warns of Critical Vulnerability

Critical Flaw in the Cryptographic Library for Windows

On January 14, 2020, the NSA issued a Cybersecurity Advisory highlighting a vulnerability in Microsoft Windows 10 and Windows Server 2016/2019 (CVE-2020-0601). At issue is a critical cryptographic vulnerability in Microsoft devices whereby attackers could spoof a valid X.509 certificate chain on a vulnerable Windows system. Exploiting this vulnerability could, for example, allow an attacker to sign a malicious executable, making it appear the file was from a trusted, legitimate source. Additionally, an attacker can use this vulnerability to intercept and alter encrypted HTTPS traffic by leveraging a Man-In-The-Middle position and alter the digital signature provided in the established TLS connection.

What’s Affected and What Happens?

The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability could allow attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. This could possibly affect:

• HTTPS connections
• Signed files and emails
• Signed executable code launched as user-mode processes

Mitigations

The only known mitigation is to apply Microsoft’s January 2020 Patch Tuesday patch with recommendation from the NSA to apply as quickly as possible. Patches can be found here.

The Windows Patch Challenge

Patching Windows machines is an extensive effort that takes time and resources under normal circumstances. While this alert drives the urgency and need for immediate response, many Windows 10 devices may have restrictions on updates and patching, further delaying mitigation efforts. For example, devices which have to be certified upon update, such as medical devices or clinical research devices. This also includes OT devices on production lines or in utilities running the affected versions of Windows.

How Armis Helps

As an agentless and passive device security platform, Armis is able to do the following:

• Identify devices on your network that might be at risk from this attack
• Identify devices being exploited by this vulnerability in real time (and secure them)
• Use that information to to alert system administrators and initiate the workflows necessary to begin remediation via patching