Microsoft CryptoAPI (CVE-2020-0601): NSA Warns of Critical Vulnerability

by Jeff Zacuto on January 15, 2020

Critical Flaw in the Cryptographic Library for Windows

On January 14, 2020, the NSA issued a Cybersecurity Advisory highlighting a vulnerability in Microsoft Windows 10 and Windows Server 2016/2019 (CVE-2020-0601). At issue is a critical cryptographic vulnerability in Microsoft devices whereby attackers could spoof a valid X.509 certificate chain on a vulnerable Windows system. Exploiting this vulnerability could, for example, allow an attacker to sign a malicious executable, making it appear the file was from a trusted, legitimate source. Additionally, an attacker can use this vulnerability to intercept and alter encrypted HTTPS traffic by leveraging a Man-In-The-Middle position and alter the digital signature provided in the established TLS connection.

This #PatchTuesday you are strongly encouraged to implement the recently released CVE-2020-0601 patch immediately. https://t.co/czVrSdMwCR pic.twitter.com/log6OU93cV
— NSA/CSS (@NSAGov) January 14, 2020

What’s Affected and What Happens?

The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability could allow attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. This could possibly affect:

HTTPS connections
Signed files and emails
Signed executable code launched as user-mode processes

Mitigations

The only known mitigation is to apply Microsoft’s January 2020 Patch Tuesday patch with recommendation from the NSA to apply as quickly as possible. Patches can be found here.

The Windows Patch Challenge

Patching Windows machines is an extensive effort that takes time and resources under normal circumstances. While this alert drives the urgency and need for immediate response, many Windows 10 devices may have restrictions on updates and patching, further delaying mitigation efforts. For example, devices which have to be certified upon update, such as medical devices or clinical research devices. This also includes OT devices on production lines or in utilities running the affected versions of Windows.

How Armis Helps

As an agentless and passive device security platform, Armis is able to do the following:

Identify devices on your network that might be at risk from this attack
Identify devices being exploited by this vulnerability in real time (and secure them)
Use that information to to alert system administrators and initiate the workflows necessary to begin remediation via patching

Christopher Dobrec

VP, Product Marketing

As Vice President of Product Marketing, Chris is responsible for Armis’ product marketing strategy and vision. He is a seasoned product and business development executive leading teams through the development and marketing of exceptional products and cutting-edge technologies across enterprise and consumer market segments. Prior to Armis, Chris held executive management roles in product management, product marketing, and business development at MobileIron, Cisco, Nokia, Ipsilon Networks and Kalpana. Chris’ journey to Silicon Valley started after leaving college early to pursue his passion for building great products.