CVE-2020-0601: NSA Reported Spoofing Vulnerability in Windows CryptoAPI

As part of the first Patch Tuesday of 2020, Microsoft has released patches for CVE-2020-0601. This is a critical flaw in the cryptographic library for Windows that impacts Windows 10 and Windows Server 2016/2019. The National Security Agency, who discovered and reported the flaw to Microsoft, strongly urges users to prioritise patching vulnerable systems.

Commenting about the MSFT flaw, Renaud Deraison, Co- founder and CTO at Tenable said, “CVE-2020-0601 hits at the very trust we have in today’s digital computing environments — trust to authenticate binaries and trust that our ciphered communications are properly protected. The flaw would enable an attacker, among other things, to exploit how Windows verifies cryptographic trust, enabling them to deliver executable code and making it look like it came from a trusted source. You can imagine its use in ransomware and phishing attacks on unpatched systems. This is a serious vulnerability and one that we fully expect to see exploited in the wild in the coming weeks and months. We will see continued attacks over the course of the year among organisations that do not patch their systems quickly.

The NSA’s responsible disclosure of the vulnerability to Microsoft is a step in the right direction. We look forward to continued public-private sector coordination.“

Amit Yoran, Chairman and CEO, Tenable and Founding Director of the United States Computer Emergency Readiness Team (US-CERT) program in the U.S. Department of Homeland Security said, “For the U.S. government to share its discovery of a critical vulnerability with a vendor is exceptionally rare if not unprecedented. It underscores the criticality of the vulnerability and we urge all organisations to prioritise patching their systems quickly. The fact that Microsoft provided a fix in advance to US Government and other customers which provide critical infrastructure is also highly unusual. These are clearly noteworthy shifts from regular practices and make this vulnerability worth paying attention to and also worth asking questions about. How long ago was the vulnerability discovered? How long did it take from discovery to reporting? Was it used by the NSA? Has it been observed being used by foreign intelligence services already? What triggered the vendor disclosure? None of these questions change what organizations need to do at this point to protect themselves, but their answers might tell us a lot more about the environment we operate in.“