A Vulnerability in the Microsoft Cryptographic Library CRYPT32.DLL Could Allow for Remote Code Execution

 

 

 

 

A Vulnerability in the Microsoft Cryptographic Library CRYPT32.DLL Could Allow for Remote Code Execution

 

 

MS-ISAC ADVISORY NUMBER:

2020-005

 

 

DATE(S) ISSUED:

01/14/2020

 

 

OVERVIEW:

 

A vulnerability has been discovered in the Microsoft Cryptographic library CRYPT32.DLL, which could allow for remote code execution. The Microsoft Cryptographic library CRYPT32.DLL is the module that implements many of the certificate and cryptographic messaging functions in the CryptoAPI. This library comes with the Windows and Windows Server Operating Systems. Successful exploitation of this vulnerability could allow for attackers to compromise trusted network connections using spoofed certificates. This can be used to deliver malicious executable code under the pretense of a legitimately trusted entity, commit man-in-the-middle attacks, and decrypt confidential information. Examples of potentially impacted services include HTTPS connections, signed emails and files, and user-mode processes launching signed executable code.

 

 

THREAT INTELLIGENCE:

 

 

There is currently no report of this vulnerability being exploited in the wild. CISA anticipates that attempted exploits utilizing this vulnerability may occur in the near future.

 

 

 

SYSTEMS AFFECTED:

 

 

  • Windows 10

  • Windows Server 2016, 2019

  • Applications that rely on Windows for Trust functionality

    •  

 

 

RISK:

 

 

 

 

Government:

 

 

  • Large and medium government entities: HIGH

  • Small government entities: MEDIUM

    •  

 

 

Businesses:

 

  • Large and medium business entities: HIGH

  • Small business entities: MEDIUM

    •  

 

 

Home Users:

LOW

 

 

 

 

TECHNICAL SUMMARY:

 

 

A vulnerability has been discovered in The Microsoft Cryptographic library CRYPT32.DLL, which could allow for remote code execution. This spoofing vulnerability (CVE-2020-0601) exists due to the way the library Crypt32.dll validates the Elliptic Curve Cryptography certificates. Successful exploitation of this vulnerability could allow for attackers to compromise trusted network connections using spoofed certificates to deliver malicious executable code under the pretense of a legitimately trusted entity, commit man-in-the-middle attacks, and decrypt confidential information. Examples of potentially impacted services include HTTPS connections, signed emails and files, and user-mode processes launching signed executable code.

This vulnerability is included in the monthly Microsoft Patch Tuesday release.

 

 

 

RECOMMENDATIONS:

 

 

We recommend the following actions be taken:

 

  • Rapid adoption of the patch is the only known mitigation at this time and is a paramount recommendation that all state, local, tribal, and territorial governments patch their respective systems after appropriate testing

  • Reboot System after applying patches to complete remediation

    •  

 

 

 

REFERENCES:

 

 

 

Microsoft:

 

https://portal.msrc.microsoft.com/en-us/security-guidance
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

 

 

NSA:

 

https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

 

 

CISA:

 

https://cyber.dhs.gov/ed/20-02/
https://www.us-cert.gov/ncas/alerts/aa20-014a

 

 

CVES:

 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601

 

 

 

 

 

 

More information
https://www.cisecurity.org/advisory/a-vulnerability-in-the-microsoft-cryptograp…