After two days of forewarning, Microsoft released its January 2020 collection of updates for “Patch Tuesday.” It had been leaked that there was a critical flaw in the crypt32.dll library that could represent a serious security flaw for the entire world.

The crypt32.dll library provides the foundation for cryptographic operations in Windows and is often leveraged by applications to perform key creation, storage, hashing, and verification of certificates. Any vulnerability in this DLL has the potential to affect all cryptographic-dependent applications as well as the operating system. In addition, this core library has been in use since the days of Windows NT.

In the release of patches, Microsoft publicly disclosed CVE-2020-0601 and publicly acknowledges its discovery by the NSA. The vulnerability appears to be significant in that a fraudulent code signing certificate using Elliptical Curve Cryptography (ECC) can fool the verification engine and allow malicious software to be installed and run. 

The issue appears to be limited to systems running Windows 10, Server 2016, and Server 2019. This is of particular interest as ECC support has been available in Windows since Server 2008 R2. So the problem must be specific to changes that occurred in Windows 10. Is it possible the problem exists prior to Windows 10? Anything is possible, but given the notification and support of older operating systems, Microsoft surely would have evaluated these older versions to see if they were susceptible.

The recommendation is to get this patch out as soon as possible to targeted systems. While there are no know exploits of this in the wild, history has shown that once reports are made public, the exploitation of those weaknesses wont be far behind. Given the ability to bypass critical security controls, this will likely be a prime target for adversarial actors.

Summary, while not the doomsday predictions that were circulating in the last few days, this exploit is serious and should be patched quickly.

ThePKIGuy

About ThePKIGuy

President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.

2 Comments

  1. Vadims Podāns Vadims Podāns on January 15, 2020 at 7:32 am

    A little correcrion, ECC was available for Windows Server 2008 SP1. It is about for 12 years. Given that there are no active exploits, nor details about this, I suspect that the problem isn’t that big as speculated in internet.

  2. ThePKIGuy ThePKIGuy on January 15, 2020 at 9:32 pm

    Another important note: this vulnerability can’t be dismissed by organization’s saying “we are not affected because we don’t use ECC code signing certificates”. The issue is the OS has a vulnerability that can be exploited by an adversary with an ECC certificate of their choice to exploit your system. It has nothing to do with your use of code signing and or ECC certificates. You are affected!

    In addition, the Code signing example is only part of the threat profile. In short, any ECC certificate presented to the OS in this vulnerability will be improperly validated – included SSL/TLS certificates.

Leave a Comment





This site uses Akismet to reduce spam. Learn how your comment data is processed.