Microsoft’s first Patch Tuesday of 2020 saw a total of 49 CVEs (bugs) being fixed, however, the one that matters the most in the cybersecurity space is the Windows CryptoAPI Vulnerability tracked under CVE-2020-0601.
This Windows CryptoAPI spoofing vulnerability was found by the National Security Agency (NSA) during its research and analysis. Microsoft, for the first time, has publicly acknowledged the reporting done by the government body and Anne Neuberger, NSA’s Director of Cybersecurity, has accepted the credit given in a press call.
According to the Microsoft’s Advisory, “a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.” NSAs Cybersecurity Advisory confirms this revelation and gives further insights of the CryptoAPI vulnerability. It says, “The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.”
A successful exploit can also allow a potential attacker to conduct Man-in-the-Middle (MITM) attacks and decrypt confidential information of users. Microsoft worked on the findings of NSA’s research team and released a security update that addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
Both, NSA and Microsoft, have requested all its Windows 10 and Windows Server 2016/2019 system users to install all January 2020 Patch Tuesday updates at the earliest to mitigate the CryptoAPI vulnerability.
As an additional periphery of mitigation steps, Symantec also recommends the following:
Block external access at the network boundary, unless external parties require service.
If global access isn’t needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.
Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, run all applications with the minimal amount of privileges required for functionality.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.
