CVE-2020-0601:
Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) allows attackers to bypass certificate validation for ECC certificates.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.1High- Published Date:Jan 14, 2020
- CISA KEV Date:Nov 3, 2021
- Industries Affected:20
379 DaysThreat Predictions
- EPSS Score:94.1
- EPSS Percentile:100%
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:REQUIRED
- Scope:UNCHANGED
Impact
- Score:5.2
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:NONE
Description Preview
Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) allows attackers to bypass certificate validation for ECC certificates.
Overview
The Windows CryptoAPI (Crypt32.dll) vulnerability affects the certificate validation process for Elliptic Curve Cryptography (ECC) certificates. The flaw exists because Windows fails to properly validate the elliptic curve parameters in certificates. An attacker can exploit this by generating a certificate with specially crafted parameters that match the public key of a legitimate certificate but with a different private key controlled by the attacker. This vulnerability impacts all Windows 10 systems, Windows Server 2016, and Windows Server 2019. When exploited, it allows attackers to: - Spoof legitimate websites and services - Sign malicious code to appear as if it came from trusted sources - Perform man-in-the-middle attacks to intercept and decrypt secure communications - Bypass security mechanisms that rely on certificate validation The vulnerability has been assigned CWE-295 (Improper Certificate Validation) and is considered particularly dangerous because it undermines the fundamental trust model of the Windows platform.
Remediation
- To address this vulnerability, the following steps should be taken:
- 1. Apply Microsoft's January 2020 security update (KB4528760) immediately to all affected systems.
- Windows 10 systems can be updated via Windows Update
- Windows Server systems should be patched according to organizational patch management procedures
- 2. Prioritize updates for internet-facing systems and those handling sensitive information.
- 3. If patching cannot be immediately performed:
- Consider implementing network monitoring for exploitation attempts
- Restrict internet access for unpatched systems
- Implement additional authentication mechanisms where possible
- 4. After patching, verify the update was successful by checking that the following file versions are present:
- For Windows 10 version 1909 or 1903: Crypt32.dll version 10.0.18362.592 or later
- For Windows 10 version 1809: Crypt32.dll version 10.0.17763.973 or later
- 5. Organizations should review logs for any suspicious certificate-related activities that may indicate prior exploitation attempts.
References
- 1. Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
- 2. CurveBall Proof of Concept Demonstrations:
- - http://packetstormsecurity.com/files/155960/CurveBall-Microsoft-Windows-CryptoAPI-Spoofing-Proof-Of-Concept.html
- - http://packetstormsecurity.com/files/155961/CurveBall-Microsoft-Windows-CryptoAPI-Spoofing-Proof-Of-Concept.html
- 3. NSA Cybersecurity Advisory on this vulnerability:
- https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
- 4. US-CERT Alert (AA20-014A):
- https://www.us-cert.gov/ncas/alerts/aa20-014a
- 5. Common Weakness Enumeration:
- https://cwe.mitre.org/data/definitions/295.html
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Oct 20, 2020
- CISA KEV Date:Nov 3, 2021
- Days Early:379 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
