It has come to our attention that there is a security risk that could affect some customers. It involves Windows CryptoAPI Spoofing Vulnerability in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Cryptography (ECC) certificate.
This means that an attacker could create a certificate that would appear to be valid, allowing it to bypass the proper validation by a certificate authority. This could lead to further malicious activity from the attacker, allowing him for example to tamper on user connections, or inject, modify data without detection.
Microsoft has released a High-level security advisory. They have said that there is a critical CryptoAPI Spoofing Vulnerability that exists in the following operating systems:
• This vulnerability affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server version 2016 and 2019.
Currently, “this vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organisation. This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.”[1]
Microsoft has already released software fixes to address this vulnerability as part of their monthly Patch Tuesday. We advise that you patch the affect machines ASAP by installing all January 2020 patches to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems.
How do I Remediate?
Apply the relevant patch from the below links:
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 Prioritise patching by starting with mission critical systems, internet facing systems, and networked servers. Organizations should then prioritize patching other affected IT/OT assets.
Release Notes available here:
• https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jan
References:
Alert (AA20-014A), Critical Vulnerabilities in Microsoft Windows Operating Systems, Available from:
Further reading for detection measures provided by The National Security Agency (NSA):
https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
How Can Ward Help?
If you would like additional information or would like support in assessing and protecting your environment, please contact us.