January 16, 2020
On Tuesday, Microsoft released a patch fixing a spoofing vulnerability (CVE-2020-0601) related to the Windows CryptoAPI (Crypt32.dll) and the way it validates Elliptic Curve Cryptography (ECC) certificates. The vulnerability affects Windows 10, Windows Server 2016, and Windows Server 2019. More information on the vulnerability disclosure can be found in the Security & Resilience Update for January 14, 2020.
At the time of the patch release, Microsoft and multiple federal agencies reported they were unaware of any exploitation or publicly available exploit code. However, in less than 24-hours, multiple cybersecurity researchers have developed proof-of-concept exploit code, with at least two versions being posted publicly. The existence of proof-of-concept exploit code in-the-wild, while not entirely trivial to carry out, increases the probability of malicious actors exploiting the vulnerability prior to patches being applied. When exploited, CVE-2020-0601 would allow an attacker to launch man-in-the-middle (MitM) attacks and intercept and fake HTTPS connections, spoof signatures for files and emails, and spoof signed executable code launched inside Windows.
The importance of timely patching cannot be overstated, supported by the recent Emergency Directive 20-02 from the U.S. Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA), giving certain Executive Branch agencies ten days to implement the patch across their infrastructure. CISA also states, “Though this directive applies only to certain Executive Branch agencies, we strongly urge our partners in State and local government, the private sector, and the American public to apply this security update as soon as possible.”
In light of proof-of-concept code being in-the-wild, organizations unable to prioritize patching should isolate vulnerable systems from their network, as there is currently no other remediation available for this vulnerability other than the patch. Read more about the proof-of-concept exploits at ZDNet and ArsTechnica.
January 14, 2020
The U.S. Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) is strongly encouraging Microsoft users quickly patch recently discovered critical vulnerabilities that affect Windows CryptoAPI and Windows Remote Desktop Protocol (RDP) server and client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections. The potential impacts could be severe, including temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses relating to restoring systems and files, and potential harm to an organization’s reputation. Read the alert at CISA.
The specific vulnerabilities are "CryptoAPI spoofing vulnerability" (CVE-2020-0601) and "Multiple Windows RDP vulnerabilities" (CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611). Microsoft patched the vulnerabilities today as part of its January 2020 Security Updates announcement. CISA strongly recommends organizations install these critical patches as soon as possible and suggests they prioritize patching by starting with mission critical systems, internet-facing systems, and networked servers. Organizations should then prioritize patching other affected information technology/operational technology (IT/OT) assets. At this time, CISA reports it is unaware of active exploitation of these vulnerabilities. However, because patches have been publicly released, the underlying vulnerabilities can be reverse-engineered to create exploits that target unpatched systems.
Underscoring the importance of addressing these vulnerabilities, DHS CISA has also released an Emergency Directive mandating that Executive Branch departments and agencies implement the patches on all affected endpoints on information systems within 10 business days. In instances where these endpoints cannot be patched within this time, CISA advises agencies to remove them from their networks (this Emergency Directive does not apply to state and local governments and the private sector, but CISA still encourages these entities to implement the patches as soon as possible). The National Security Agency has also published a cybersecurity advisory regarding these vulnerabilities and, similar to DHS CISA, recommends installing the patches as soon as possible.