A Vulnerability in the Microsoft Cryptographic Library CRYPT32.DLL Could Allow for Remote Code Execution
ITS ADVISORY NUMBER:
2020-006 - UPDATED
DATE(S) ISSUED:
Tuesday, January 14, 2020
DATE UPDATED:
Friday, January 17, 2020
SUBJECT:
A Vulnerability in the Microsoft Cryptographic Library CRYPT32.DLL Could Allow for Remote Code Execution
OVERVIEW:
A vulnerability has been discovered in the Microsoft Cryptographic library CRYPT32.DLL, which could allow for remote code execution. The Microsoft Cryptographic library CRYPT32.DLL is the module that implements many of the certificate and cryptographic messaging functions in the CryptoAPI. This library comes with the Windows and Windows Server Operating Systems. Successful exploitation of this vulnerability could allow for attackers to compromise trusted network connections using spoofed certificates. This can be used to deliver malicious executable code under the pretense of a legitimately trusted entity, commit man-in-the-middle attacks, and decrypt confidential information. Examples of potentially impacted services include HTTPS connections, signed emails and files, and user-mode processes launching signed executable code. This CVE is already included in ITS ADVISORY NUMBER: 2020-005, but due to the criticality we are highlighting in its own advisory.
THREAT INTELLIGENCE: - UPDATED - January 17, 2020
On January 16, security researchers from Kudelski Security and Ollypwn published PoC for CVE-2020-0601 to GitHub. A third PoC exploit has reportedly been developed but was not released to the public.
SYSTEMS AFFECTED:
- Windows 10
- Windows Server 2016, 2019
- Applications that rely on Windows for Trust functionality
RISK:
Government:
Large and medium government entities: High
Small government entities: High
Business:
Large and medium business entities: High
Small business entities: High
Home Users: High
DESCRIPTION:
A vulnerability has been discovered in The Microsoft Cryptographic library CRYPT32.DLL, which could allow for remote code execution. This spoofing vulnerability (CVE-2020-0601) exists due to the way the library Crypt32.dll validates the Elliptic Curve Cryptography certificates. Successful exploitation of this vulnerability could allow for attackers to compromise trusted network connections using spoofed certificates to deliver malicious executable code under the pretense of a legitimately trusted entity, commit man-in-the-middle attacks, and decrypt confidential information. Examples of potentially impacted services include HTTPS connections, signed emails and files, and user-mode processes launching signed executable code.
ACTIONS:
- After appropriate testing, a rapid adoption of the patch is the only known mitigation at this time and is a paramount recommendation that all state, local, tribal, and territorial governments patch their respective systems.
- Immediately apply patches or mitigations provided by Microsoft to vulnerable systems. Reboot System after applying patches to complete remediation.
REFERENCES:
Microsoft:
https://portal.msrc.microsoft.com/en-us/security-guidance
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2...
NSA:
https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-...
CISA:
https://cyber.dhs.gov/ed/20-02/
https://www.us-cert.gov/ncas/alerts/aa20-014a
CVES:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601
REFERENCES: - UPDATED - January 17, 2020
Threatpost:
https://threatpost.com/poc-exploits-published-for-microsoft-crypto-bug/1...
GitHub:
https://github.com/kudelskisecurity/chainoffools
https://github.com/ollypwn/CVE-2020-0601