CVE-2020-0601:Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) allows attackers to bypass certificate validation for ECC certificates.

splash
Back

Description Preview

A critical spoofing vulnerability (CVE-2020-0601), also known as "CurveBall", exists in the Windows CryptoAPI (Crypt32.dll) that affects how the system validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability allows attackers to craft malicious certificates that appear legitimate to Windows certificate validation processes. By exploiting this flaw, attackers can sign malicious executables with spoofed code-signing certificates, making malware appear to come from trusted, legitimate sources. This undermines a fundamental trust mechanism in Windows and could enable various attacks including man-in-the-middle attacks, malware distribution, and data theft.

Overview

The Windows CryptoAPI (Crypt32.dll) vulnerability affects the certificate validation process for Elliptic Curve Cryptography (ECC) certificates. The flaw exists because Windows fails to properly validate the elliptic curve parameters in certificates. An attacker can exploit this by generating a certificate with specially crafted parameters that match the public key of a legitimate certificate but with a different private key controlled by the attacker.

This vulnerability impacts all Windows 10 systems, Windows Server 2016, and Windows Server 2019. When exploited, it allows attackers to:

  • Spoof legitimate websites and services
  • Sign malicious code to appear as if it came from trusted sources
  • Perform man-in-the-middle attacks to intercept and decrypt secure communications
  • Bypass security mechanisms that rely on certificate validation

The vulnerability has been assigned CWE-295 (Improper Certificate Validation) and is considered particularly dangerous because it undermines the fundamental trust model of the Windows platform.

Remediation

To address this vulnerability, the following steps should be taken:

  1. Apply Microsoft's January 2020 security update (KB4528760) immediately to all affected systems.

    • Windows 10 systems can be updated via Windows Update
    • Windows Server systems should be patched according to organizational patch management procedures

  2. Prioritize updates for internet-facing systems and those handling sensitive information.

  3. If patching cannot be immediately performed:

    • Consider implementing network monitoring for exploitation attempts
    • Restrict internet access for unpatched systems
    • Implement additional authentication mechanisms where possible

  4. After patching, verify the update was successful by checking that the following file versions are present:

    • For Windows 10 version 1909 or 1903: Crypt32.dll version 10.0.18362.592 or later
    • For Windows 10 version 1809: Crypt32.dll version 10.0.17763.973 or later

  5. Organizations should review logs for any suspicious certificate-related activities that may indicate prior exploitation attempts.

References

  1. Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

  2. CurveBall Proof of Concept Demonstrations:

    • http://packetstormsecurity.com/files/155960/CurveBall-Microsoft-Windows-CryptoAPI-Spoofing-Proof-Of-Concept.html
    • http://packetstormsecurity.com/files/155961/CurveBall-Microsoft-Windows-CryptoAPI-Spoofing-Proof-Of-Concept.html

  3. NSA Cybersecurity Advisory on this vulnerability: https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

  4. US-CERT Alert (AA20-014A): https://www.us-cert.gov/ncas/alerts/aa20-014a

  5. Common Weakness Enumeration: https://cwe.mitre.org/data/definitions/295.html

Early Warning

Customers using Armis Early Warning were notified about this vulnerability before it appeared in CISA's Known Exploited Vulnerabilities Catalog, enabling them to assess their exposure and act proactively. Armis offers these examples of CVEs already included in CISA KEV for potential customers. Click here to learn how to receive alerts earlier.

Armis Alert Date
Jan 14, 2020
CISA KEV Date
Nov 3, 2021
659days early

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Health Care & Social Assistance: Medium
    Health Care & Social Assistance
  3. Public Administration: Medium
    Public Administration
  4. Transportation & Warehousing: Medium
    Transportation & Warehousing
  5. Educational Services: Medium
    Educational Services
  6. Retail Trade: Medium
    Retail Trade
  7. Finance and Insurance: Low
    Finance and Insurance
  8. Utilities: Low
    Utilities
  9. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  10. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  11. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  12. Information: Low
    Information
  13. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  14. Accommodation & Food Services: Low
    Accommodation & Food Services
  15. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  16. Construction: Low
    Construction
  17. Mining: Low
    Mining
  18. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  19. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background