Threat Response: UPDATE: Vulnerability in Microsoft CryptoAPI (CVE-2020-0601)

17-01-2020

Last Tuesday, 14 January, we have informed you about a new vulnerability in Windows related to validation of (Elliptic Curve) certificates [1]. In the meantime, multiple sources have stated that they have found a successful way of exploiting the vulnerability [4][5].

In the earlier message, we discussed two main attack vectors:

  1. Setting up a webpage with an invalid certificate, that is marked as valid by Windows. This tricks the user into thinking they are secure due to, for example, a green padlock being present.
  2. Signing a malicious executable that is marked as valid by Windows, and is then executed without any warnings.

For both ways, a proof of concept has been published. We think there is a high probability that attackers will be able to set up an attack based on the information provided in the publicly available sources.

A way for testing whether an unsafe webpage is being opened without warnings, has been provided by the Internet Storm Center (ISC)[5]. Note: a firewall may block the traffic itself. This test is therefore not 100% reliable.

We have added a detection rule to our Northwave Detection Platform that checks for possible invalid certificates that try to exploit the vulnerability, inside network traffic. This measure does not prevent an attack from being successful. Therefore, we again strongly recommend to install the updates provided by Microsoft [3] as soon as possible, to mitigate a successful attack.

If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: soc@northwave.nl
Do you have an incident right now? Call our CERT number: 0800-2255 2747

See the original post of Januari 14th 2020:

THREAT RESPONSE: VULNERABILITY IN MICROSOFT CRYPTOAPI (CVE-2020-0601)

Disclaimer applies, see below.

Sources

[1]: https://northwave-security.com/threat-response-vulnerability-in-microsoft-cryptoapi-cve-2020-0601/

[2]: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

[3]: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jan

[4]: https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/

[5]: https://curveballtest.com/index.html

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.

This post is also available in: Dutch