Last Updated: 2020-01-14 21:22:29 UTC
by Johannes Ullrich (Version: 1)
[Special Note: we will have a special webcast on this topic at noon ET tomorrow (Wednesday, January 15th. See https://sans.org/cryptoapi-isc )
For January, we do have three topics to pay attention to:
- Windows CryptoAPI Spoofing Vulnerability (%CVE:2020-0601%)
- Two "BlueKeep" Like vulnerabilities in RD Gateway (%CVE:2020-0609% and %CVE:2020-0610%)
- This will be the last month Microsoft will publish free security updates for Windows 7
This month, Microsoft wasn't able to prevent information about these updates from leaking as it usually can. Information about one particular flaw, %CVE:2020-0601%, the "Windows CryptoAPI Spoofing Vulnerability," was leaked as early as Friday.
CVE-2020-0601 has a significant impact on endpoint security. An attacker exploiting this vulnerability will be able to make malicious code look like it was signed by a trusted source (for example, Microsoft). The flaw only affects Elliptic Curve Cryptography (ECC) certificates. ECC, just like RSA certificates, use public/private keys. ECC is considered more modern and efficient. ECC keys are significantly shorter than RSA keys of equivalent strength. With ECC still being somewhat "new," many software publishers still use RSA certificates. But it appears to be possible that an attacker could spoof an entity that usually only uses RSA certificates by applying a spoofed ECC certificate to malicious software. The code validating the certificate doesn't know which type of certificate a publisher uses.
According to an NSA press release about the issue, TLS is affected as well . A website could use this flaw to impersonate a valid website (including TLS certificate). This could be used for more convincing phishing sites.0
Only Windows 10 and Windows Server 2016 and later are affected by this flaw. In addition to fixing the flaw, Microsoft also added a function to log an error if an exploit attempt is detected. The error message "[CVE-2020-0601] cert validation" will be logged to the event log if a certificate is processed that attempts to exploit the flaw.
How could this flaw be exploited? Let's look at a quick sample scenario how this flaw could be used to trick a user to install malicious code:
- The attacker sends an email to the user. The attacker can use this flaw to create a valid signature for the email indicating that it came from a trusted source (for example a vendor).
- The user clicks on the link, and the attacker will redirect the request to a malicious website via a man in the middle attack. The attacker would be able to create a fake website with a TLS certificate that appears to be valid.
- Malicious software will be downloaded from the site. The attacker will be able to create a valid code signing signature.
- The user, or endpoint protection software on the user's system, will consider the software harmless due to the (fake) signature identifying a trusted vendor as the author.
Certificates are the based mechanism used to verify the authenticity and integrity of the content. Without it, an attacker can spoof arbitrary entities and make malicious content appear trusted.
How severe is this flaw? If you are having issues with your users enabling macros in Office documents they receive from untrusted sources and if nothing blocks them from downloading and execute malware: Don't worry. You are not validating signatures anyway. However, if you have an endpoint solution that blocks users from running untrusted code: You likely need to worry and apply this patch quickly. The flaw is part of Microsoft's Crypto API (crypt32.dll). This library is used by pretty much all Windows software that deals with encryption and digital signatures. This flaw is likely going to affect a lot of third party software as well, not just software written by Microsoft. Any software calling the "CertGetCertificateChain()" function in Crypto API should be considered vulnerable, which for example includes Google Chrome and many others.
At this point, I am not aware of a public exploit, but the advisory was made public minutes ago. Maybe we will know more by the end of the day. At this point, the vulnerability has not been exploited yet. It was found by the US National Security Agency (NSA), who reported the flaw to Microsoft.
But %CVE:2020-0601% isn't the only vulnerability you should be worried about this month. %CVE:2020-0609% and %CVE:2020-0610% are fixing remote code execution vulnerabilities in the Windows Remote Desktop Gateway (RD Gateway). Remember BlueKeep? The RD Gateway is used to authenticate users and allow access to internal RDP services. As a result, RD Gateway is often exposed and used to protect the actual RDP servers from exploitation.
Finally: This will be the last monthly patch for Windows 7.
|CVE||Disclosed||Exploited||Exploitability (old versions)||current version||Severity||CVSS Base (AVG)||CVSS Temporal (AVG)|
|.NET Framework Remote Code Execution Injection Vulnerability|
|.NET Framework Remote Code Execution Vulnerability|
|ASP.NET Core Denial of Service Vulnerability|
|CVE-2020-0602||No||No||Less Likely||Less Likely||Important|
|ASP.NET Core Remote Code Execution Vulnerability|
|Hyper-V Denial of Service Vulnerability|
|Internet Explorer Memory Corruption Vulnerability|
|Microsoft Cryptographic Services Elevation of Privilege Vulnerability|
|Microsoft Dynamics 365 (On-Premise) Cross-Site Scripting Vulnerability|
|Microsoft Excel Remote Code Execution Vulnerability|
|Microsoft Graphics Component Information Disclosure Vulnerability|
|Microsoft Graphics Components Information Disclosure Vulnerability|
|Microsoft Office Memory Corruption Vulnerability|
|Microsoft Office Online Spoofing Vulnerability|
|Microsoft OneDrive for Android Security Feature Bypass Vulnerability|
|Microsoft Windows Denial of Service Vulnerability|
|CVE-2020-0616||No||No||Less Likely||Less Likely||Important||5.5||5.0|
|Microsoft Windows Elevation of Privilege Vulnerability|
|Remote Desktop Client Remote Code Execution Vulnerability|
|Remote Desktop Web Access Information Disclosure Vulnerability|
|Update Notification Manager Elevation of Privilege Vulnerability|
|Win32k Elevation of Privilege Vulnerability|
|Win32k Information Disclosure Vulnerability|
|Windows Common Log File System Driver Elevation of Privilege Vulnerability|
|CVE-2020-0634||No||No||More Likely||More Likely||Important||7.8||7.0|
|Windows Common Log File System Driver Information Disclosure Vulnerability|
|CVE-2020-0615||No||No||Less Likely||Less Likely||Important||5.5||5.0|
|CVE-2020-0639||No||No||Less Likely||Less Likely||Important||5.5||5.0|
|Windows CryptoAPI Spoofing Vulnerability|
|CVE-2020-0601||No||No||More Likely||More Likely||Important||8.1||7.3|
|Windows Elevation of Privilege Vulnerability|
|Windows GDI+ Information Disclosure Vulnerability|
|Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability|
|Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability|
|Windows Search Indexer Elevation of Privilege Vulnerability|
|Windows Security Feature Bypass Vulnerability|
|Windows Subsystem for Linux Elevation of Privilege Vulnerability|