Microsoft released patches addressing 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched, there was a critical flaw. However, the most relevant, and yet worrying, is known as Windows CryptoAPI. Since this information was leaked a few days before its mitigation, it has been exploited in the wild.
Discovered by the NSA and tracked as CVE-2020-0601, this critical vulnerability is affecting Microsoft's Windows cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.
The exploitation of this vulnerability could allow attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.
The vulnerability affects Windows 10 and Windows Server 2016 and 2019 versions. Also, it is affecting applications that rely on Windows for trust functionality.
HTTPS connections, signed files, and emails, signed executable code launched as user-mode processes are some examples where validation of trust may be abused.
How it works
This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. It could deceive users or prevent malware from being detected by traditional methods such as antivirus.
Other technical details of the flaw are not publicly available to avoid more adversaries exploiting it, Microsoft confirms the flaw, and acknowledges that if successfully exploited, could allow attackers to spoof digital signatures.
A sample scenario of how this flaw could be used to trick a user into installing malicious software could be an attacker sending an email, making it appear as a trusted one using the flaw spoofing a valid signature. For example, a valid signature from a vendor, so it would not be marked as phishing. The user trusts it, clicks on a link, and the attacker redirects the request to a malicious website, or can create a crafted website without the need to redirect the first interaction. The attacker would be able to create a fake website with a TLS certificate that appears to be valid. From there, malware can be downloaded from the website, and it would have a valid signature; thus, the installation wouldn't be stopped by any antivirus.
Patch Tuesday is well known to address security gaps in Microsoft OS. These updates are critical due to the possible impact of these vulnerabilities being exploited. The Technical details are not publicly issued, to avoid adversaries using it more widely. However, there are already groups taking advantage of these flaws. We highly recommend updating your OS (operating system) at your earliest convenience.
The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. The NSA assesses the vulnerability to be severe, and that sophisticated adversaries can understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.
The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. The rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.
This vulnerability is tracked under:
It is highly recommended installing all the updates that come in the January 2020 Patch release from Microsoft as soon as possible to effectively mitigate the vulnerabilities found on all Windows 10 and Windows Server 2016 or newer systems. If your organization has automated patches via system administrator, we recommend prioritizing these updates, especially on machines that are facing the internet.
Also, you can go and check for the latest updates manually by going to Windows Settings -> Update & Security -> Windows Update -> click on "Check for updates on your PC."
At the same time, it is worth mentioning that Windows OS versions before Windows 10 are not being supported by any updates anymore. Thus our recommendations to upgrade your Windows if you are using an unsupported Windows
CVEs: Common Vulnerabilities and Exposures