The U.S. National Security Agency has taken the unusual step of publicly disclosing a vulnerability to a software vendor. This is the first time that such a disclosure has been attributed to the NSA. The vulnerability, tracked as CVE-2020-0601, affects Windows 10 and Windows Server 2016 and 2019, and has been rated as critical by the NSA, but only important by Microsoft.
When the NSA discovers vulnerabilities they are usually kept quiet and used for the agencies own offensive purposes. While it is possible to weaponize this Windows flaw, the decision was taken to disclose the flaw in what appears to be an effort to build trust, something that the NSA feels is necessary following the theft and publication of several exploits by Shadow Brokers. Some of those exploits have been used in multiple global cyberattacks. According to Brian Krebs, this is only the first of several disclosures which the NSA plans to make under a new initiative which will see more of the NSA’s vulnerability research shared with software vendors to help them make their software more secure.
The latest flaw is certainly serious. It affects the Windows CryptoAPI and is a spoofing vulnerability that could be exploited by remote threat actors to make malicious files appear to have been sent from trusted sources. The flaw could also be exploited in man-in-the-middle attacks.
The flaw is present in Windows 10, Windows Server 2016, and Windows Server 2019 but also affects other applications that use Windows for their trust functionality. The flaw is due to how Crypt32.dll validates Elliptic Curve Cryptography (ECC) certificates.
According to the NSA, “The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.”
The flaw could result in remote code execution although it is unlikely that the vulnerability could be exploited in isolation for RCE. The NSA believes sophisticated threat actors such as nation state backed APTs would be able to quickly find and exploit the vulnerability, leaving the affected platforms vulnerable.
In an attack scenario, the vulnerability would allow a threat actor to sign malicious files with spoofed code-signing certificates. The file would then appear to have come from a trusted source. The NSA said the flaw could impact trust in HTTPS connections, signed executable code – automatic software updates for example – and signed files and email. It would also be possible to modify files in transit, such as automatic software updates, to incorporate malicious code to allow RCE.
Microsoft has released a security advisory that states the flaw has not been exploited in the wild. A patch to address the flaw has been released as part of Microsoft’s January 2020 Patch Tuesday updates. All users and organizations have been advised to apply the patches as soon as possible to prevent exploitation.
If it is not possible to immediately apply the patch, the NSA has provided mitigations that can be applied on endpoints or broadly relied-upon services. The NSA cybersecurity advisory can be found here.