Microsoft’s Security Updates for January 2020 (commonly known as Patch Tuesday) were released to the public on January 14. On Monday there were rumblings across the Twittersphere that a high profile vulnerability would be addressed in today’s Patch Tuesday update. And in their cumulative update, Microsoft addressed 50 CVEs, along with one notable vulnerability – CVE-2020-0601 (CryptoAPI Spoofing Vulnerability).
First discovered by The US National Security Agency (NSA) and disclosed to Microsoft, CVE-2020-0601 is a spoofing vulnerability which exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability allows for a spoofed code-signing certificate to sign a malicious executable, causing the malware to be seen as originating from a trusted source. This has serious implications because this certificate appears to Windows as being legitimate and chained appropriately, allowing it to bypass AV endpoints and any other technological solutions due to the whitelisting of trusted signed files.
This vulnerability allows for man-in-the-middle attacks and the decrypting of confidential information on affected software. While there have been no reports of known, in-the-wild attacks to date, it is safe to surmise that such exploits will appear after Patch Tuesday – a day commonly referred as “Exploit Wednesday” by the Infosec community to describe the efforts to immediately begin reverse-engineering available patches. It is also safe to assume that sophisticated threat actors will try and exploit this disclosure as soon as possible in order to take advantage of the widest possible gap between disclosure and patching. As a result, it is imperative that users and organizations prioritize the patching of this issue as soon as possible to avoid this first wave of exploits.
This vulnerability affects Windows 10, Windows Server 2016, and Windows Server 2019 platforms. Regarding available mitigation, if automatic updates are turned off it is highly recommended to apply this month's update as soon as possible.
Immediately after the Microsoft and NSA announcement - Fortinet customers running the latest definitions set (15.757) were protected against CVE-2020-0601 with the following IPS signature:
We will continue to update this blog with any further relevant updates should they become available. For further information and guidance, please reference the Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers advisory from the NSA.