Threat Research

Addressing Microsoft’s January 2020 Security Update for CVE-2020-0601

By FortiGuard SE Team | January 15, 2020

Microsoft’s Security Updates for January 2020 (commonly known as Patch Tuesday) were released to the public on January 14. On Monday there were rumblings across the Twittersphere that a high profile vulnerability would be addressed in today’s Patch Tuesday update. And in their cumulative update, Microsoft addressed 50 CVEs, along with one notable vulnerability – CVE-2020-0601 (CryptoAPI Spoofing Vulnerability).

CVE-2020-0601 Details

First discovered by The US National Security Agency (NSA) and disclosed to Microsoft, CVE-2020-0601 is a spoofing vulnerability which exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability allows for a spoofed code-signing certificate to sign a malicious executable, causing the malware to be seen as originating from a trusted source. This has serious implications because this certificate appears to Windows as being legitimate and chained appropriately, allowing it to bypass AV endpoints and any other technological solutions due to the whitelisting of trusted signed files.

This vulnerability allows for man-in-the-middle attacks and the decrypting of confidential information on affected software. While there have been no reports of known, in-the-wild attacks to date, it is safe to surmise that such exploits will appear after Patch Tuesday – a day commonly referred as “Exploit Wednesday” by the Infosec community to describe the efforts to immediately begin reverse-engineering available patches. It is also safe to assume that sophisticated threat actors will try and exploit this disclosure as soon as possible in order to take advantage of the widest possible gap between disclosure and patching. As a result, it is imperative that users and organizations prioritize the patching of this issue as soon as possible to avoid this first wave of exploits.

This vulnerability affects Windows 10, Windows Server 2016, and Windows Server 2019 platforms. Regarding available mitigation, if automatic updates are turned off it is highly recommended to apply this month's update as soon as possible.

Fortinet Solution

Immediately after the Microsoft and NSA announcement - Fortinet customers running the latest definitions set (15.757) were protected against CVE-2020-0601 with the following IPS signature:

MS.Windows.CryptoAPI.ECC.Certificate.Spoofing

We will continue to update this blog with any further relevant updates should they become available. For further information and guidance, please reference the Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers advisory from the NSA. 

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolioSign up for the weekly Threat Brief from FortiGuard Labs. 

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert programNetwork Security Academy program, and FortiVet program.