Skip to main content
IT Community Partnerships Indiana University

Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)

Posted on by mkleine

IT Professionals:

The University Information Security Office would like to make you aware of the following security bulletin of a vulnerability in the Microsoft CryptoAPI.

Background:

On January 14, 2020, Microsoft announced CVE-2020-0601 Windows CryptoAPI Spoofing Vulnerability [1]. The vulnerability exists in the Windows CryptoAPI (crypt32.dll) which is responsible for validating Elliptic Curve Cryptography (ECC) certificates. Microsoft has released a security update that addresses the vulnerability by ensuring that CryptoAPI properly validates ECC certificates.

Impact:

An attacker exploiting the vulnerability could spoof code-signed certificates making it appear that a malicious executable was from a legitimate and trusted source. There is no way of knowing the spoofed code-signed file is malicious because the digital signature would appear from a trusted provider. Once a system has been exploited, attackers can further cause harm by decrypting confidential information from user connections to the impacted software as well as launch man-in-the middle attacks.
Additionally, attackers may be able to spoof x.509 certificate chains that could allow for the interception and modification of TLS-encrypted communications, spoofing websites, or spoofing authenticode signatures [2].

Platforms Affected:

Windows 10
Windows Server 2016
Windows Server 2019

Local Observations:

University Information Security Office (UISO) has not identified any systems that have been exploited at this time; however, it is believed that systems could become compromised if they remain unpatched.

UISO Recommendations:

UISO strongly recommends that impacted systems are patched with the security update as soon as possible.

Workarounds:

There are no work arounds for this vulnerability.

Further Reading:

[1] CVE-2020-0601 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
[2] Authenticode Digital Signature https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode
[3] CryptoAPI System Architecture https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptoapi-system-architecture
[4] Certificate Chains https://docs.microsoft.com/en-us/windows/win32/seccrypto/certificate-chains

 

~~~~~ Today’s IT Pro Tip ~~~~~

Would you like to see an infoshare on a specific topic? Send your suggestion to talk2uits@iu.edu – we’ll try to arrange it.

Skip to toolbar