Executive Summary

Microsoft released a patch this week for a critical zero-day vulnerability (CVE-2020-0601) that affects Windows 10, Server 2016, and Server 2019. The vulnerability resides in the Windows CryptoAPI service that validates the Elliptic Curve Cryptography (ECC) certificates. These certificates handle the way Windows encrypts and decrypts data, including SSL and TLS.

According to the National Security Agency (who originally discovered the vulnerability and informed Microsoft), “the certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution." The exploitation of the vulnerability could have a severe impact, allowing attacks to be successfully executed, including

  • Spoofing of software digital signatures, allowing a malicious file to be installed while making the operating system and any anti-virus or end-point protection product think that it is a legitimate service

  • Issuance of a certificate for a device that did not authorize it, while preventing your browser from accurately warning you of the illegitimate certificate

Mitigation

We recommend that you apply the updates as soon as possible.  While there is no official report of active exploitation occurring in the wild, there are some rumors that this may not be the case.  Regardless, the vulnerability is severe enough that it should warrant emergency patching in accordance with your vulnerability and patch management policy.

Most endpoint workstations with Windows 10 should auto-update if that service is enabled.  That will ensure the patch is applied in a timely manner.  Nevertheless, we recommend that you validate that the update installed.  In some cases, Windows Server 2016 and 2019 will also auto-update, however, depending on the organization, server, and the services it provides auto-updating may be disabled and it may be necessary to apply the patch manually.

You may download the patch at the following link based upon the vulnerable software version you currently have running: Patch Download.  According to Microsoft, there does not appear to be any other mitigating controls that can be implemented to secure this vulnerability in lieu of applying the patch update.

We recommend that all affected devices be patched as soon as possible.

Sparkhound’s managed services team can help run this patch in your environment. We are also available to monitor your systems to help proactively address vulnerabilities like this in the future.

Let's get to work →

You can read more about this vulnerability from the following primary sources:

National Security Agency Advisory

Microsoft Advisory

US-Cert Advisory

  • “A Very Important Patch Tuesday.” National Security Agency | Central Security Service, 14 Jan. 2020, https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2056772/a-very-important-patch-tuesday/.

  • “Critical Vulnerabilities in Microsoft Windows Operating Systems: CISA.” Critical Vulnerabilities in Microsoft Windows Operating Systems | CISA, https://www.us-cert.gov/ncas/alerts/aa20-014a.

  • “Krebs on Security.” Brian Krebs, https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/.

  • Portal.msrc.microsoft.com, https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601.

  • “Update Windows 10 Immediately to Patch a Flaw Discovered by the NSA.” The Hacker News, 14 Jan. 2020, https://thehackernews.com/2020/01/warning-quickly-patch-new-critical.html

Get Email Notifications