Threat Signal Report

Coverage Information for Microsoft January 2020 Security Update for (CVE-2020-0601)

Description

Microsoft Security Updates for January 2020 (commonly known as Patch Tuesday) have been released to the public today. On Monday, there were various grumblings via the Twittersphere about a high profile vulnerability that would be addressed in this upcoming Patch Tuesday update. In this cumulative update 50 CVE's were addressed, along with one notable vulnerability, CVE-2020-0601 (CryptoAPI Spoofing Vulnerability).


First discovered by The United States National Security Agency (NSA) and disclosed to Microsoft, CVE-2020-0601 is a spoofing vulnerability which exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability allows for a certificate to be spoofed code signed, meaning that the malware can be seen as originating from a trusted source. This has serious implications because certificates aren't really stolen or forged, but appear to be legitimate because they chain appropriately ultimately allowing for the bypass of AV endpoints, and any other technological solutions due to the whitelisting of trusted signed files. Furthermore, this vulnerability allows for man-in-the-middle attacks and the decryption of confidential information on affected software.


It is safe to surmise that in the wild exploits will appear after Patch Tuesday, which is commonly known as "Exploit Wednesday" which is a term used within the InfoSec community where attackers try to reverse available patches. Sophisticated threat actors will likely try and leverage this disclosure and add it into their arsenal within the upcoming weeks.


We will continue to update this blog with any further relevant updates once available. For further information and guidance please view the reference section at the end of this document.


What versions of software are affected?

This vulnerability affects Windows 10, Windows Server 2016, Windows Server 2019 platforms. Regarding available mitigation, if automatic updates are turned off, it is highly recommended to apply this month's update as soon as possible, if feasible.


Have there been reports of in the wild exploitation?

No. According to the Microsoft advisory, there have not been any reports of ITW exploitation. However, it is expected that attackers will try and reverse engineer this vulnerability disclosure to attack unpatched machines.


What is the status of AV and IPS coverage?

Fortinet customers running the latest definitions set (15.757) are currently protected against CVE-2020-0601 by our IPS signature:

MS.Windows.CryptoAPI.ECC.Certificate.Spoofing

AV coverage is not feasible for this event.


References

CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability

Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.