Today (2020-01-14) Microsoft announced that Patch Tuesday would include a fix for CVE-2020-0601, a critical bug in the CryptAPI.dll. This bug allows attackers to spoof certificates that use Elliptical Curve Cryptography in Windows 10 and Windows 2016/2019 Server endpoints.
Is All Security Broken?
No! This attack requires a significant foothold into an environment and is not something you would commonly see in the wild, unlike Ransomware. While the NSA is stating that this allows remote code execution, it’s only intended to convey that you could potentially install an update or binary that’s been modified by a man-in-the-middle attack or signed by a spoofed certificate.
This is not a worm that’s going to destroy networks, but rather a spoofing vulnerability that would allow an attacker – likely a Nation State APT – to surveil network infrastructure, steal secrets, and generally spy on vulnerable machines. As this develops into a public exploit it has a significant risk to environments; however, the initial targets for this attack are largely going to be government, military, some industrial, and very large organizations with sensitive data.
What Should I Do?
This report also came with warnings from the NSA and a large amount of FUD associated with how patching must happen immediately. Blumira urges caution in regard to breaking your usual patching routine but instead recommends speeding up any patch phasing that normally takes place.
Due to patch rolling out publicly the InfoSec community will start to reverse engineer the changes in CryptAPI.dll. This will result in a working exploit against unpatched machines; the question is largely how long that will take. It’s unlikely that a functional exploit would be active in the wild immediately but rather take days to weeks to filter out.
With that in mind, in addition to the lack of quality associated with recent Windows patches, we recommend completing your patching within the next week with the appropriate pre-patch testing. Additionally, this patch covers three new RDP vulnerabilities, some of which are in Windows 7, and these should also be applied as this was the last patch cycle for the Windows 7/2012 R2 series prior to it entering End of Life.
We agree with the NSA recommendations generally regarding priority for patching with some modifications. Our recommendations for patching priority:
- Web Appliances and Servers
- Proxies, although unlikely to be Windows based
- Endpoints that handle critical services, e.g., DCs, DNS, WSUS, VPN, IPSec if Windows based.
- Endpoints that are directly exposed to the internet
- Endpoints of privileged users
- Endpoints of users that access sensitive information
- All other Endpoints
By 2020-01-21, all Windows 10 and Windows Server 2016/2019 servers should be patched for CVE-2020-0601. As the phasing update process should already be started, if a public exploit becomes available then the updating can be sped up.