[Special Note: we will have a special webcast on this topic at noon ET tomorrow (Wednesday, January 15th. See https://sans.org/cryptoapi-isc )

For January, we do have three topics to pay attention to:

1. Windows CryptoAPI Spoofing Vulnerability (%CVE:2020-0601%)
2. Two "BlueKeep" Like vulnerabilities in RD Gateway (%CVE:2020-0609% and %CVE:2020-0610%)
3. This will be the last month Microsoft will publish free security updates for Windows 7

This month, Microsoft wasn't able to prevent information about these updates from leaking as it usually can. Information about one particular flaw, %CVE:2020-0601%, the "Windows CryptoAPI Spoofing Vulnerability," was leaked as early as Friday.

CVE-2020-0601 has a significant impact on endpoint security. An attacker exploiting this vulnerability will be able to make malicious code look like it was signed by a trusted source (for example, Microsoft). The flaw only affects Elliptic Curve Cryptography (ECC) certificates. ECC, just like RSA certificates, use public/private keys. ECC is considered more modern and efficient. ECC keys are significantly shorter than RSA keys of equivalent strength. With ECC still being somewhat "new," many software publishers still use RSA certificates. But it appears to be possible that an attacker could spoof an entity that usually only uses RSA certificates by applying a spoofed ECC certificate to malicious software. The code validating the certificate doesn't know which type of certificate a publisher uses.

According to an NSA press release about the issue, TLS is affected as well [1]. A website could use this flaw to impersonate a valid website (including TLS certificate). This could be used for more convincing phishing sites.0

Only Windows 10 and Windows Server 2016 and later are affected by this flaw. In addition to fixing the flaw, Microsoft also added a function to log an error if an exploit attempt is detected. The error message  "[CVE-2020-0601] cert validation" will be logged to the event log if a certificate is processed that attempts to exploit the flaw.

How could this flaw be exploited? Let's look at a quick sample scenario how this flaw could be used to trick a user to install malicious code:

1. The attacker sends an email to the user. The attacker can use this flaw to create a valid signature for the email indicating that it came from a trusted source (for example a vendor).
2. The user clicks on the link, and the attacker will redirect the request to a malicious website via a man in the middle attack. The attacker would be able to create a fake website with a TLS certificate that appears to be valid.
3. Malicious software will be downloaded from the site. The attacker will be able to create a valid code signing signature.
4. The user, or endpoint protection software on the user's system, will consider the software harmless due to the (fake) signature identifying a trusted vendor as the author.

Certificates are the based mechanism used to verify the authenticity and integrity of the content. Without it, an attacker can spoof arbitrary entities and make malicious content appear trusted.

How severe is this flaw? If you are having issues with your users enabling macros in Office documents they receive from untrusted sources and if nothing blocks them from downloading and execute malware: Don't worry. You are not validating signatures anyway. However, if you have an endpoint solution that blocks users from running untrusted code: You likely need to worry and apply this patch quickly. The flaw is part of Microsoft's Crypto API (crypt32.dll). This library is used by pretty much all Windows software that deals with encryption and digital signatures. This flaw is likely going to affect a lot of third party software as well, not just software written by Microsoft. Any software calling the "CertGetCertificateChain()" function in Crypto API should be considered vulnerable, which for example includes Google Chrome and many others.

At this point, I am not aware of a public exploit, but the advisory was made public minutes ago. Maybe we will know more by the end of the day. At this point, the vulnerability has not been exploited yet. It was found by the US National Security Agency (NSA), who reported the flaw to Microsoft.

But %CVE:2020-0601% isn't the only vulnerability you should be worried about this month. %CVE:2020-0609% and %CVE:2020-0610% are fixing remote code execution vulnerabilities in the Windows Remote Desktop Gateway (RD Gateway). Remember BlueKeep? The RD Gateway is used to authenticate users and allow access to internal RDP services. As a result, RD Gateway is often exposed and used to protect the actual RDP servers from exploitation.

Finally: This will be the last monthly patch for Windows 7. 

[1] https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

Patch Tuesday Dashboard

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|