Xylos brands

CVE-2020-0601: Spoofing Vulnerability in Windows CryptoAPI

The NSA has found a critical flaw in Microsoft’s CryptoAPI (crypt32.dll), which leaves the system vulnerable to spoofing. How can possible attackers exploit this issue? Is your company at risk? What steps do you need to take? We’ll cover what you need to know in this blog post.

The issue

The vulnerability was discovered in the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates: by using a spoofed code-signing certificate to sign a malicious executable file, an attacker could make Windows believe that their file was from a trusted, legitimate source and therefore harmless. With the digital signature appearing to be from a trusted provider, users would have no way to tell the file is malicious.

As a result, the attacker could infiltrate a system to decrypt confidential information about user connections to the affected software. By spoofing the digital signatures on malicious software, the attacker can trick Windows into believing that their software is a legitimate application that’s safe to be installed.

Are you at risk?

The vulnerability exists in all versions of Windows 10, Windows Server 2016 and Windows Server 2019. Kudelski Research Facility has developed a working exploit code, and according to French security researcher SwitHak, public and private exploits have been detected.

How can you check your system for possible exploitation of the issue?

  • When installing the latest cumulative OS update, check the following information in your event viewer (Eventvwr):

Type                   Value
Event Log          Windows Logs/Application
Event Source    Audit-CVE
Event ID             1

  • Use the following PowerShell command:

Get-EventLog -LogName Application -Source Audit-CVE -InstanceId 1

Do you need assistance detecting this exploitation through PowerShell? Don’t hesitate to contact us – we’ll gladly help you.

The solution

Microsoft has addressed this issue with a Security Update, as described in the security bulletin for CVE-2020-0601. The patch ensures that Windows CryptoAPI completely validates ECC certificates. Installing this patch is currently the only way to mitigate the risk.

Share this blogpost

Leave a reply

Your email address will not be published. Required fields are marked.