Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601): What You Need to Know

What is the CryptoAPI Spoofing Vulnerability? Who is impacted?

A flaw (CVE-2020-0601) has recently been found in the way the Microsoft Windows CryptoAPI performs certificate validation, allowing attackers to spoof X.509 vulnerabilities. This is core cryptographic functionality used by a number of different software components, with far-reaching impact ranging from programming languages to web browsers.

Affected products include:

• Windows 10 (all build numbers)
• Windows Server 2016
• Windows Server 2019

Older versions of Windows are not affected.

Analysis of CVE-2020-0601

The mitigation steps taken by Microsoft and others (e.g., Google Chrome) to detect and alert users to exploitation attempts are a welcome development for defenders and users. Windows Update services were not affected by this due to extended hardening in years past, showing that defense-in-depth is important for maintaining critical infrastructure.

As of Jan. 15, 2020, this vulnerability is not known to be exploited in the wild. However, proof-of-concept implementations are starting to emerge detailing how to create bogus certificates. Due to the nature of the vulnerability, exploit implementations have a low bar for usage, and Rapid7 researchers were able to easily replicate one of the proof-of-concept implementations. As this trend continues, unpatched systems will become attractive targets for attackers looking to attempt man-in-the-middle attacks. Users of affected systems will also be more susceptible to social engineering attacks, as malicious software packages can be code-signed in order to look legitimate.

This vulnerability also highlights a specification flaw that software projects should heed: Untested features are likely vulnerable features. Because this vulnerability is in an extremely seldom-used feature of the TLS specification that allows users to specify their own elliptical curves, it meant the feature was largely untested. Vulnerability hunters and defenders may be on the lookout for similar bugs in other TLS implementations in the future.

How to protect yourself from the Windows CryptoAPI spoofing vulnerability

Patches for this vulnerability are available as of Jan. 14, 2020. Microsoft strongly urges customers to immediately apply the relevant patches as outlined on their advisory page.

Rapid7 InsightVM customers can use an authenticated check (released on Jan. 15, 2020) to assess their exposure to this vulnerability and make informed decisions about risk in their environments.

Customers should also examine their Windows event logs for instances of the new CveEventWrite event, which indicates active exploitation of the vulnerability in an environment. In addition, the latest version of Google Chrome can also alert users to exploitation attempts being made to spoof websites.