Delaware, USA – January 15, 2020 – It seems that in the past few days, news about this vulnerability has been heard by everyone, and not so much because of its severity, but because the National Security Agency discovered it and reported to Microsoft. Before this, the NSA kept information about ‘discoveries’ for ‘internal use’, but whether this initiative makes Windows more secure time will tell. As for CVE-2020-0601 itself, the NSA issued Cybersecurity Advisory, and DHS ‘Cybersecurity and Infrastructure Security Agency published Emergency Directive urging organizations to install the update on Windows 10, Windows Server 2016, and Windows Server 2019 systems as soon as possible.
“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” – Microsoft informs.
NSA warns that advanced threat actors could exploit CVE-2020-0601 to intercept secure network communications: “The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”
In turn, SOC Prime released community rules that help security solutions to detect vulnerable CRYPT32.DLL library in your environment.
Detect Windows Critical Cryptographic Vulnerability (CVE-2020-0601) – https://tdm.socprime.com/tdm/info/LpXqfcpo52MK/