Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Patch Tuesday for January 2020

Published: 2020-01-14
Last Updated: 2020-01-14 21:22:29 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

[Special Note: we will have a special webcast on this topic at noon ET tomorrow (Wednesday, January 15th. See https://sans.org/cryptoapi-isc )

For January, we do have three topics to pay attention to:

  1. Windows CryptoAPI Spoofing Vulnerability (%CVE:2020-0601%)
  2. Two "BlueKeep" Like vulnerabilities in RD Gateway (%CVE:2020-0609% and %CVE:2020-0610%)
  3. This will be the last month Microsoft will publish free security updates for Windows 7

This month, Microsoft wasn't able to prevent information about these updates from leaking as it usually can. Information about one particular flaw, %CVE:2020-0601%, the "Windows CryptoAPI Spoofing Vulnerability," was leaked as early as Friday.

CVE-2020-0601 has a significant impact on endpoint security. An attacker exploiting this vulnerability will be able to make malicious code look like it was signed by a trusted source (for example, Microsoft). The flaw only affects Elliptic Curve Cryptography (ECC) certificates. ECC, just like RSA certificates, use public/private keys. ECC is considered more modern and efficient. ECC keys are significantly shorter than RSA keys of equivalent strength. With ECC still being somewhat "new," many software publishers still use RSA certificates. But it appears to be possible that an attacker could spoof an entity that usually only uses RSA certificates by applying a spoofed ECC certificate to malicious software. The code validating the certificate doesn't know which type of certificate a publisher uses.

According to an NSA press release about the issue, TLS is affected as well [1]. A website could use this flaw to impersonate a valid website (including TLS certificate). This could be used for more convincing phishing sites.0

Only Windows 10 and Windows Server 2016 and later are affected by this flaw. In addition to fixing the flaw, Microsoft also added a function to log an error if an exploit attempt is detected. The error message  "[CVE-2020-0601] cert validation" will be logged to the event log if a certificate is processed that attempts to exploit the flaw.

How could this flaw be exploited? Let's look at a quick sample scenario how this flaw could be used to trick a user to install malicious code:

  1. The attacker sends an email to the user. The attacker can use this flaw to create a valid signature for the email indicating that it came from a trusted source (for example a vendor).
  2. The user clicks on the link, and the attacker will redirect the request to a malicious website via a man in the middle attack. The attacker would be able to create a fake website with a TLS certificate that appears to be valid.
  3. Malicious software will be downloaded from the site. The attacker will be able to create a valid code signing signature.
  4. The user, or endpoint protection software on the user's system, will consider the software harmless due to the (fake) signature identifying a trusted vendor as the author.

Certificates are the based mechanism used to verify the authenticity and integrity of the content. Without it, an attacker can spoof arbitrary entities and make malicious content appear trusted.

How severe is this flaw? If you are having issues with your users enabling macros in Office documents they receive from untrusted sources and if nothing blocks them from downloading and execute malware: Don't worry. You are not validating signatures anyway. However, if you have an endpoint solution that blocks users from running untrusted code: You likely need to worry and apply this patch quickly. The flaw is part of Microsoft's Crypto API (crypt32.dll). This library is used by pretty much all Windows software that deals with encryption and digital signatures. This flaw is likely going to affect a lot of third party software as well, not just software written by Microsoft. Any software calling the "CertGetCertificateChain()" function in Crypto API should be considered vulnerable, which for example includes Google Chrome and many others.

At this point, I am not aware of a public exploit, but the advisory was made public minutes ago. Maybe we will know more by the end of the day. At this point, the vulnerability has not been exploited yet. It was found by the US National Security Agency (NSA), who reported the flaw to Microsoft.

But %CVE:2020-0601% isn't the only vulnerability you should be worried about this month. %CVE:2020-0609% and %CVE:2020-0610% are fixing remote code execution vulnerabilities in the Windows Remote Desktop Gateway (RD Gateway). Remember BlueKeep? The RD Gateway is used to authenticate users and allow access to internal RDP services. As a result, RD Gateway is often exposed and used to protect the actual RDP servers from exploitation.

Finally: This will be the last monthly patch for Windows 7. 

[1] https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

Patch Tuesday Dashboard

 

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Framework Remote Code Execution Injection Vulnerability
CVE-2020-0646 No No - - Critical    
.NET Framework Remote Code Execution Vulnerability
CVE-2020-0605 No No - - Critical    
CVE-2020-0606 No No - - Critical    
ASP.NET Core Denial of Service Vulnerability
CVE-2020-0602 No No Less Likely Less Likely Important    
ASP.NET Core Remote Code Execution Vulnerability
CVE-2020-0603 No No - - Critical    
Hyper-V Denial of Service Vulnerability
CVE-2020-0617 No No - - Important 5.3 4.8
Internet Explorer Memory Corruption Vulnerability
CVE-2020-0640 No No - - Critical 7.5 6.7
Microsoft Cryptographic Services Elevation of Privilege Vulnerability
CVE-2020-0620 No No - - Important 7.8 7.0
Microsoft Dynamics 365 (On-Premise) Cross-Site Scripting Vulnerability
CVE-2020-0656 No No - - Important    
Microsoft Excel Remote Code Execution Vulnerability
CVE-2020-0650 No No - - Important    
CVE-2020-0651 No No - - Important    
CVE-2020-0653 No No - - Important    
Microsoft Graphics Component Information Disclosure Vulnerability
CVE-2020-0622 No No - - Important 5.5 5.0
Microsoft Graphics Components Information Disclosure Vulnerability
CVE-2020-0607 No No - - Important 5.5 5.0
Microsoft Office Memory Corruption Vulnerability
CVE-2020-0652 No No - - Important    
Microsoft Office Online Spoofing Vulnerability
CVE-2020-0647 No No - - Important    
Microsoft OneDrive for Android Security Feature Bypass Vulnerability
CVE-2020-0654 No No - - Important    
Microsoft Windows Denial of Service Vulnerability
CVE-2020-0616 No No Less Likely Less Likely Important 5.5 5.0
Microsoft Windows Elevation of Privilege Vulnerability
CVE-2020-0641 No No - - Important 7.8 7.0
Remote Desktop Client Remote Code Execution Vulnerability
CVE-2020-0611 No No - - Critical 7.5 6.7
Remote Desktop Web Access Information Disclosure Vulnerability
CVE-2020-0637 No No - - Important 5.7 5.1
Update Notification Manager Elevation of Privilege Vulnerability
CVE-2020-0638 No No - - Important 7.8 7.0
Win32k Elevation of Privilege Vulnerability
CVE-2020-0624 No No - - Important 7.8 7.0
CVE-2020-0642 No No - - Important 7.8 7.0
Win32k Information Disclosure Vulnerability
CVE-2020-0608 No No - - Important 5.5 5.0
Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2020-0634 No No More Likely More Likely Important 7.8 7.0
Windows Common Log File System Driver Information Disclosure Vulnerability
CVE-2020-0615 No No Less Likely Less Likely Important 5.5 5.0
CVE-2020-0639 No No Less Likely Less Likely Important 5.5 5.0
Windows CryptoAPI Spoofing Vulnerability
CVE-2020-0601 No No More Likely More Likely Important 8.1 7.3
Windows Elevation of Privilege Vulnerability
CVE-2020-0635 No No - - Important 7.8 7.0
CVE-2020-0644 No No - - Important 7.8 7.0
Windows GDI+ Information Disclosure Vulnerability
CVE-2020-0643 No No - - Important 5.5 5.0
Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
CVE-2020-0612 No No - - Important 7.5 6.7
Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability
CVE-2020-0609 No No - - Critical 9.8 8.8
CVE-2020-0610 No No - - Critical 9.8 8.8
Windows Search Indexer Elevation of Privilege Vulnerability
CVE-2020-0613 No No - - Important 7.8 7.0
CVE-2020-0614 No No - - Important 7.8 7.0
CVE-2020-0623 No No - - Important 7.8 7.0
CVE-2020-0625 No No - - Important 7.8 7.0
CVE-2020-0626 No No - - Important 7.8 7.0
CVE-2020-0627 No No - - Important 7.8 7.0
CVE-2020-0628 No No - - Important 7.8 7.0
CVE-2020-0629 No No - - Important 7.8 7.0
CVE-2020-0630 No No - - Important 7.8 7.0
CVE-2020-0631 No No - - Important 7.8 7.0
CVE-2020-0632 No No - - Important 7.8 7.0
CVE-2020-0633 No No - - Important 7.8 7.0
Windows Security Feature Bypass Vulnerability
CVE-2020-0621 No No - - Important 4.4 4.0
Windows Subsystem for Linux Elevation of Privilege Vulnerability
CVE-2020-0636 No No - - Important 7.8 7.0

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

Keywords:
0 comment(s)
Diary Archives