Microsoft patched a spoofing vulnerability present in the Windows usermode cryptographic library, CRYPT32.DLL, on Windows 10, Windows Server 2016, and Windows Server 2019 systems.

In a media call with the NSA that Bleeping Computer joined, the National Security Agency (NSA) stated that they discovered this vulnerability and immediately reported it to Redmond's security team.

Both NSA and Microsoft say that the vulnerability hasn't yet been exploited in the wild, while the agency recommends in its own advisory to install the patches delivered with Microsoft's January 2020 Patch Tuesday as soon as possible to block attackers from defeating "trusted network connections and deliver executable code while appearing as legitimately trusted entities."

In its second-ever Emergency Directive, DHS' Cybersecurity and Infrastructure Security Agency (CISA) also "strongly recommends agencies initiate patching immediately, with a focus on patching the Windows 10 and Server 2016/2019 systems impacted by CVE-2020-0601.

Agencies should prioritize patching mission-critical systems and High-Value Assets (HVAs), internet-accessible systems, and servers. Agencies should then apply the patch to the remaining endpoints."

The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners. - NSA

Spoofing ECC certificate chains' validity

"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates," says Microsoft's security advisory. "An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.

The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," Microsoft adds.

After successfully exploiting unpatched systems, attackers can launch man-in-the-middle attacks, as well as decrypt confidential info from user connections to the impacted software.

"By exploiting this vulnerability, an attacker may be able to spoof a valid X.509 certificate chain on a vulnerable Windows system," CERT/CC vulnerability analyst Will Dormann explains.

"This may allow various actions including, but not limited to, interception and modification of TLS-encrypted communications or spoofing an Authenticode signature."

Now that it's all public:

1) CVE-2020-0601 - Windows doesn't properly validate X.509 certificate chains. https://t.co/gaUWl7J15W

2) CVE-2020-0609, CVE-2020-0610 - Windows Remote Desktop Gateway (not to be confused with RDP proper) unauthenticated RCE.https://t.co/nGHTcCeUWV — Will Dormann (@wdormann) January 14, 2020

Microsoft's security update addresses the vulnerability tracked as CVE-2020-0601 and reported by the NSA by making sure that the Windows CryptoAPI completely validates ECC certificates.

"This vulnerability is classed Important and we have not seen it used in active attacks," Microsoft Security Response Center' Principal Security Program Manager Mechele Gruhn added.

"This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk."

Microsoft encourages security researchers and organizations to report other potential vulnerabilities using the company's MSRC Researcher Portal.

Mitigation, prevention, and detection options

The NSA security advisory also provides mitigation measures for systems where immediately installing the patches Microsoft released as part of its January 2020 Patch Tuesday.

"Network devices and endpoint logging features may prevent or detect some methods of exploitation," says the agency's advisory.

"Properly configured and managed TLS inspection proxies independently validate TLS certificates from external entities and will reject invalid or untrusted certificates, protecting endpoints from certificates that attempt to exploit the vulnerabilities.

Ensure that certificate validation is enabled for TLS proxies to limit exposure to this class of vulnerabilities and review logs for signs of exploitation."

The NSA also recommends using capture analysis tools like Wireshark and tools such as OpenSSL and the Windows certutil utility to extract and analyze certificates to detect any malicious properties.

Certutil can be used to examine an X509 certificate by running the following command: o certutil –asn OpenSSL can be used to examine an X509 certificate by running the following command: o openssl asn1parse –inform DER –in –i –dump or o openssl x509 –inform DER –in –text Certutil can be used to list registered elliptic curves and view their parameters by running the following commands: o certutil –displayEccCurve o certutil –displayEccCurve OpenSSL can be used to view standard curves enabled/compiled into OpenSSL by running the following commands: o openssl ecparam –list_curves o openssl ecparam –name –param_enc explicit –text

"Certificates with named elliptic curves, manifested by explicit curve OID values, can be ruled benign," the NSA explains.

However, "certificates containing explicitly-defined elliptic curve parameters which only partially match a standard curve are suspicious, especially if they include the public key for a trusted certificate, and may represent bona fide exploitation attempts."