Microsoft kicked off its first Patch Tuesday of 2020 by fixing a potentially serious spoofing vulnerability in a cryptographic component for Windows that was discovered by the National Security Agency.
The vulnerability exists in the way the CryptoAPI (Crypt32.dll) component in the Windows operating system validates Elliptic Curve Cryptography (ECC) certificates (CVE-2020-0601), Microsoft said. Digital signatures are used to indicate software is authentic and has not been modified. By exploiting this flaw, an attacker could potentially sign malicious files using a spoofed code-signing certificate and make it appear to come from a trusted source.
“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” Microsoft said.
The flaw can be used to intercept and modify HTTPS (or TLS) communications, CERT-CC, the vulnerability disclosure center at Carnegie Mellon University, said in its advisory. This could lead to man-in-the-middle attacks to intercept sensitive information.
The issue impacts Windows 10, Windows Server 2016, and Windows Server 2019, as well as applications that rely on Windows for trust functionality—such as web browsers—by using CryptoAPI. Windows 7, Windows 8, and earlier versions are not affected.
The library is used by pretty much all Windows software that deals with encryption and digital signatures, which means third-party software will also be impacted, said Johannes Ullrich of the SANS Technology Institute. “If you have an endpoint solution that blocks users from running untrusted code: You likely need to worry and apply this patch quickly,” said Ullrich.
"We have not seen any evidence that this technique has been used in the wild," Microsoft said. "As always we encourage customers to install all security updates as soon as possible.”
How Bad Is It?
There is a bit of a disconnect on the severity of the flaw. Microsoft categorized the vulnerability “important” and rated as level one or "exploitation more likely," while the NSA described the vulnerability as critical. The government agency said that vulnerability, if exploited, could impact trust in HTTPS connections, signed files and emails, and signed executable code.
“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available,” the NSA said in its advisory.
The difference in severity is a matter of definition. Microsoft considers flaws that can be exploited with no user interaction as “critical.” Since this flaw requires some kind of user interaction to be exploited, it was assigned the second hightest category.
Remote code execution cannot be achieved directly through CVE-2020-0601. What could happen: Once trusted communication channels like automatic update downloads and non-validated input between systems have been compromised, an attacker would be able to use a different component to trigger remote code execution. This could be particularly dangerous in industries that rely on a trusted network infrastructure, such as banking communications and transportation systems.
It is an indicator of how seriously government officials are taking the issue that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an emergency directive instructing federal agencies to patch their systems immediately within 10 days.
“We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary,” CISA wrote in a blog post accompanying the directive. This is only the second time CISA has ever issued an emergency directive. “But left unpatched, these vulnerabilities hit at the core of digital trust, and pose an unacceptable risk to the Federal enterprise that require an immediate and emergency action.”
NSA’s Motives
The fact that the NSA notified Microsoft of the vulnerability instead of adding it to its stockpile of exploits to use in offensive operations is unusual enough there is some question about the government agency’s motives. The disclosure could be an attempt at rebranding and polishing up its reputation—especially after Microsoft president Brad Smith criticized the government in 2017 for weaponizing EternalBlue instead of disclosing it. EternalBlue was leaked in the ShadowBrokers dump, and used in the WannaCry attacks.
It could be that NSA already had similar exploits and didn’t really need this one. It could also be that the agency sees a potential attack that could cause so much damage that the dangers outweigh any advantages from keeping the vulnerability to itself.
It could be that once the agency's experts realized how this flaw could be exploited, they realized how unprepared the home team (the United States) would be if another country was able to use the vulnerability. The thing about cyberweapons is that once used, they can be copied and pasted and used again by anyone else. Rising tensions means more cyberattacks. Disclosing the vulnerability could be a critical step in shoring up U.S. defenses in advance of a serious attack.
“I’d be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past,” said Chris Morales, head of security analytics at Vectra.
It isn’t clear exactly when the NSA found the flaw, so it is possible the agency kept the vulnerability for its own purposes for a while before contacting Microsoft. Reporting by the The Washington Post, however, suggests the disclosure was done in a fairly timely manner.
The fact that the NSA is publicly credited for reporting CVE-2020-0601 indicates a change in philosophy at the NSA, Anne Neuberger, director of the NSA’s Cybersecurity Directorate, said on a call with reporter. The agency has never permitted public attribution in the past. The NSA followed the vulnerabilities equities process (VEP), which is used by the federal government to determine how to treat vulnerabilities on a case-by-case basis, to report CVE-2020-0601.