Recently, Microsoft released a patch that fixes a critical vulnerability in the Windows' crypto library.



According to the advisory [1]:

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.

The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

It's a serious 0-day vulnerability that interestingly was discovered by NSA security researchers.

Indeed, the NSA advisory [2] gives a lot more information about the vulnerability:

The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality.
Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.

Examples where validation of trust may be impacted include:
- HTTPS connections
- Signed filesand emails
- Signed executable code launched as user-mode processes

The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors.
NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quicklyand, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.

The consequences of not patching the vulnerability are severe and widespread.
Remote exploitation tools will likely be made quickly and widely available.
Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.

NSA also suggest to arrange patching plan, in the event that enterprise-wide, automated patching is not possible::

NSA recommends system owners prioritize patching endpoints that provide essential or broadly replied-upon services.

Examples include:
- Windows-based web appliances, web servers, or proxies that perform TLS validation.
- Endpoints that host critical infrastructure (e.g. domain controllers, DNS servers, update servers, VPN servers, IPSec negotiation).

Prioritization should also be given to endpoints that have a high risk of exploitation.

Examples include:
- Endpoints directly exposed to the internet.
- Endpoints regularly used by privileged users.

Finally, Kudelski Security has published [3] a PoC exploit [4] and a demo website [5] that uses a forged certificate recognized by Windows as being trusted.

As usual, my suggestion is to patch your Windows 10 and Windows Server 2016/2019 systems, right now!

<conspiracy theorist>It's possible that this vulnerability has already been exploited by cybercriminals, as well as the NSA may already used that!</conspiracy theorist>


References

  1. CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability
  2. Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers
  3. CVE-2020-0601: the ChainOfFools attack explained with PoC
  4. https://github.com/kudelskisecurity/chainoffools
  5. https://chainoffools.wouaib.ch/