Updated 19:58, January 14, 2020, with NSA comment.
Microsoft has pushed out an urgent patch for a vulnerability in a Windows component, crypt32.dll, which handles cryptographic messaging functions, after the bug was discovered and reported by the National Security Agency (NSA). The flaw allows an attacker to spoof the code-signing certificate on an application or file.
The NSA said: “The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.”
The signals intelligence agency added: “The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. Sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render [Windows 10, Server 2016 and 2019] as fundamentally vulnerable.The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”
The NSA’s disclosure looks like a bid to build bridges with a company that has been vociferous in its frustration at intelligence agencies hoarding zero days. (It comes eight months after the UK’s National Cyber Security Centre (NCSC) also reported a critical wormable vulnerability to Microsoft, popularly known as Bluekeep.)
The vulnerability, CVE-2020-0601, has a CVSS base score of 8.1. It was one of 14 major CVEs patched today by Microsoft as part of its Patch Tuesday cycle. It affects a wide range of Windows 10 builds, Windows Server 2016 and Windows Server 2019.
See also: “Microsoft Credits NCSC for Critical Bug Find, Pushes Out Unusual Patch”
Microsoft said: “A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
Crypt32.dll Vulnerability: “Decrypt Confidential Information”
The company added: “A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.”
Microsoft said: “Users can tell if someone is attempting to use a forged certificate to exploit this vulnerability after the Windows update, because the system will generate Event ID 1 in the Event Viewer after each reboot under Windows Logs/Application when when an attempt to exploit a known vulnerability ([CVE-2020-0601] cert validation) is detected. This Event is raised by a User mode process.”
How Bad Is It?
With millions of endpoints vulnerable, the patch is urgent.
As security professional @SwiftonSecurity noted: “When NSA says CVE-2020-0601 enables Remote Code Execution, they mean that trusted communication channels like automatic update downloads and non-validated input between systems could be modified in-transit by a MitM, to cause RCE or other malevolent ends. This vulnerability is not about a wormable global takedown of computers, but instead resourced attackers who own network transit points being able to modify communication streams at-will. Basically, nation-state APTs who routinely compromise foreign network infrastructure.
“The gravest impacts of this are established societal and industrial infrastructure. Bank communications. Infrastructure control. Heavy industry. This is a much different threat than is traditionally discussed or news consumers really understand the ramifications of. Basically if you wanted a skeleton key to attacking the United States and our highly developed infrastructure/systems, this would be what you’d come up with to put in a book about how it could be done. Extremely dangerously elegant…
Building Bridges
The disclosures by the intelligence agencies come after Microsoft’s president Brad Smith reacted with fury to the leaking of vulnerabilities in Microsoft software that were used by the NSA in offensive tools, then later leaked. Smith in 2017 wrote: “The WannaCrypt exploits… were drawn from the exploits stolen from the NSA, in the United States.”
He added at the time: “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”
Since that time Five Eyes intelligence partners have put a significantly greater emphasis on transparency, GCHQ in late 2018 for example publishing an explanation of when it choose to sit on zero days, and when it chooses to disclose them.
Read this: Landmark GCHQ Publication Reveals Vulnerability Disclosure Process
Amit Yoran, Chairman and CEO at Tenable and Founding Director of the United States Computer Emergency Readiness Team (US-CERT) program in the U.S. Department of Homeland Security, said in an emailed comment: “For the US government to share its discovery of a critical vulnerability with a vendor is exceptionally rare.
“The fact that Microsoft provided a fix in advance to US Government and other customers which provide critical infrastructure is also highly unusual.
“These are clearly noteworthy shifts from regular practices and make this vulnerability worth paying attention to and also worth asking questions about. How long ago was the vulnerability discovered? How long did it take from discovery to reporting? Was it used by the NSA? What triggered the vendor disclosure? None of these questions change what organisations need to do at this point to protect themselves, but their answers might tell us a lot more about the environment we operate in.”