Proof-of-Concept Exploit Code Now Publicly Available for Critical Microsoft CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
Created: Thursday, January 16, 2020 - 16:49
Categories: Cybersecurity, General Security and Resilience, Security Preparedness
On Tuesday, Microsoft released a patch fixing a spoofing vulnerability (CVE-2020-0601) related to the Windows CryptoAPI (Crypt32.dll) and the way it validates Elliptic Curve Cryptography (ECC) certificates. The vulnerability affects Windows 10, Windows Server 2016, and Windows Server 2019. More information on the vulnerability disclosure can be found in the Security & Resilience Update for January 14, 2020.
At the time of the patch release, Microsoft and multiple federal agencies reported they were unaware of any exploitation or publicly available exploit code. However, in less than 24-hours, multiple cybersecurity researchers have developed proof-of-concept exploit code, with at least two versions being posted publicly. The existence of proof-of-concept exploit code in-the-wild, while not entirely trivial to carry out, increases the probability of malicious actors exploiting the vulnerability prior to patches being applied. When exploited, CVE-2020-0601 would allow an attacker to launch man-in-the-middle (MitM) attacks and intercept and fake HTTPS connections, spoof signatures for files and emails, and spoof signed executable code launched inside Windows.
The importance of timely patching cannot be overstated, supported by the recent Emergency Directive 20-02 from the U.S. Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA), giving certain Executive Branch agencies ten days to implement the patch across their infrastructure. CISA also states, “Though this directive applies only to certain Executive Branch agencies, we strongly urge our partners in State and local government, the private sector, and the American public to apply this security update as soon as possible.”
In light of proof-of-concept code being in-the-wild, organizations unable to prioritize patching should isolate vulnerable systems from their network, as there is currently no other remediation available for this vulnerability other than the patch. Read more about the proof-of-concept exploits at ZDNet and ArsTechnica