CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability

Overview

Severity: High (CVSS 8.1)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
Category: Spoofing
Exploit Status: Not Exploited
Exploitation Likelihood: More Likely
Patch Tuesday: 2020-Jan
Released: 2020-01-14
Last Updated: 2020-01-16
EPSS Score: 94.09% (percentile: 99.9%)
CISA KEV: Listed — due 2022-05-03

Description

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

FAQ

How can I tell is someone is attempting to use a forged certificate to exploit this vulnerability? After the applicable Windows update is applied, the system will generate Event ID 1 in the Event Viewer after each reboot under Windows Logs/Application when an attempt to exploit a known vulnerability ([CVE-2020-0601] cert validation) is detected. This Event is raised by a User mode process. Type Value Event Log Windows Logs/Application Event Source Audit-CVE Event ID 1 Certificate Authority Microsoft ECC Product Root Certificate Authority 2018 SHA1 This data is specific to the certificate in question Para This data is specific to the certificate in question otherPara This data is specific to the certificate in question Is there more information from Microsoft regarding CVE-2020-0601? Yes, please see the blog post released on 1/14/2020. Are versions older than Windows 10 versions affected by this vulnerability? No, only Windows 10 versions of the OS are affected. In the initial release of Windows 10 (Build 1507, TH1), Microsoft added support for ECC parameters configuring ECC curves. Prior to this, Windows only supported named ECC curves. The code which added support for ECC parameters also resulted in the certificate validation vulnerability. It was not a regression, and versions of Windows which don’t support ECC parameters configuring ECC curves (Server, 2008, Windows 7, Windows 8.1 and servers) were not affected.

Known Exploits (12)

Microsoft Windows CryptoAPI Spoofing Vulnerability — added 2024-05-16T12:32:44Z
Microsoft Windows CryptoAPI Spoofing Vulnerability — added 2021-01-17T11:53:28Z
Microsoft Windows CryptoAPI Spoofing Vulnerability — added 2020-02-26T19:59:25Z
Microsoft Windows CryptoAPI Spoofing Vulnerability — added 2020-02-18T16:36:49Z
Microsoft Windows CryptoAPI Spoofing Vulnerability — added 2020-02-06T21:46:31Z
Microsoft Windows CryptoAPI Spoofing Vulnerability — added 2020-02-03T13:58:07Z
Microsoft Windows CryptoAPI Spoofing Vulnerability — added 2020-01-29T01:59:43Z
Microsoft Windows CryptoAPI Spoofing Vulnerability — added 2020-01-28T21:24:54Z
Microsoft Windows CryptoAPI Spoofing Vulnerability — added 2020-01-23T18:26:48Z
Microsoft Windows CryptoAPI Spoofing Vulnerability — added 2020-01-19T18:20:26Z
Microsoft Windows CryptoAPI Spoofing Vulnerability — added 2020-01-16T23:44:37Z
Microsoft Windows CryptoAPI Spoofing Vulnerability — added 2020-01-15T23:15:32Z

Detection & Weaponization (2 sources)

Maturity: Detection

YARA rules: REVERSINGLABS_Win32_Exploit_CVE20200601
GitHub PoC: 35 repositories

Affected Products (26)

Windows

Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for x64-based Systems
Windows Server, version 1803 (Server Core Installation)
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1909 (Server Core installation)
Windows 10 Version 1909 for ARM64-based Systems