The U.S. National Security Agency (NSA) has discovered a critical security vulnerability named CVE-2020-0601 in Microsoft’s Windows 10 and Windows Server 2016/2019 OS versions that allows malicious actors to infiltrate trusted network connections and deliver malicious code.
In a blog post published Tuesday, NSA revealed the critical vulnerability, assigned CVE-2020-0601, affected HTTPS connections, signed files and emails, and signed executable code launched as user-mode processes, indicating that if exploited on an industrial scale, the flaw could have resulted in hackers infecting large volumes of data passing through Microsoft’s trusted network connections.
“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.
“The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners,” the agency said.
In response, Microsoft immediately released its January 2020 security patch, stating that the patch addressed the vulnerability CVE-2020-0601 and advised Windows 10 users across the world to “update their systems as quickly as practical”.
“This month we addressed the vulnerability CVE-2020-0601 in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10 systems. This vulnerability is classed Important and we have not seen it used in active attacks.
“This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk,” said Mechele Gruhn, Principal Security Program Manager of Microsoft’s Security Response Center in a blog post.
The global software giant said that CVE-2020-0601 enabled an attacker to exploit a vulnerability in Windows CryptoAPI (Crypt32.dll) by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.
“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software,” Microsoft said.
What is CVE-2020-0601 and why should it concern you?
Explaining the vulnerability, SecureData senior researcher Wicus Ross said that the flaw exists in the validation process of digital certificates, which are used by various services including web servers to validate identity, authenticity and to establish confidential communication channels.
“While this means that an attacker could potentially eavesdrop on a confidential conversation or impersonate another entity, there is very little public information available on how the vulnerability could be exploited. The only acceptable mitigation against this vulnerability is to install the applicable Microsoft patch,” he said.
“The underlying component, crypt32.dll is used for all digital signatures on Windows computers – servers and desktops. This is the component which helps verify SSL connections, whether software packages are legitimate, and whether a digital certificate submitted for email authentication is valid, among many other security items,” said Tim Mackey, principal security strategist within the Synopsys CyRC.
“Exploitation of this vulnerability will allow an attacker to bypass the trust of all network connections on Windows 10 and Windows Server 2016/2019 systems, or those referencing them. With the attention CVE-2020-0601 is receiving, attackers will be crafting their attacks with an eye to profiting from those who lag in their patch procedures.
“Priority should be placed on patching any Windows device connected to the internet, or fulfilling a network service function like DNS, web proxy, VPN server, domain controllers or systems validating trust. As with any vulnerability, if the system is used by a privilege user, then timely application of patches is critical. In the case of CVE-2020-0601, priority should be placed on patching any system used by a privileged user or by a user with access to sensitive data,” he added.
The complete list of Windows 10 and Windows Server versions that are affected by the critical security vulnerability can be accessed here.
This isn’t the first time that a premier government organisation entrusted with protecting national security has red-flagged a critical vulnerability in a platform that is used by billions of people across the world.
In 2017, GCHQ’s cybersecurity arm the National Cyber Security Centre (NCSC) discovered and reported two critical vulnerabilities (CVE-2017-11937 and CVE-2017-11940) in the Microsoft Malware Protection Engine that allowed attackers to conduct remote code execution and take over victims’ computers.
While releasing a security patch for the flaws, Microsoft said the vulnerabilities allowed malicious actors to execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights