CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability

Security Vulnerability

Published: 01/14/2020 | Last Updated : 01/14/2020
MITRE CVE-2020-0601On this page

• Executive Summary
• Exploitability Assessment
• Security Updates
• Mitigations
• Workarounds
• FAQ
• Acknowledgements
• Disclaimer
• Revisions

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

Publicly Disclosed	Exploited	Latest Software Release	Older Software Release	Denial of Service
No	No	1 – Exploitation More Likely	1 – Exploitation More Likely	N/A

• Security Updates
• CVSS Score

Product	Platform	Article	Download	Impact	Severity	Supersedence
Windows 10 for 32-bit Systems		4534306	Security Update	Spoofing	Important	4530681
Windows 10 for x64-based Systems		4534306	Security Update	Spoofing	Important	4530681
Windows 10 Version 1607 for 32-bit Systems		4534271	Security Update	Spoofing	Important	4530689
Windows 10 Version 1607 for x64-based Systems		4534271	Security Update	Spoofing	Important	4530689
Windows 10 Version 1709 for 32-bit Systems		4534276	Security Update	Spoofing	Important	4530714
Windows 10 Version 1709 for ARM64-based Systems		4534276	Security Update	Spoofing	Important	4530714
Windows 10 Version 1709 for x64-based Systems		4534276	Security Update	Spoofing	Important	4530714
Windows 10 Version 1803 for 32-bit Systems		4534293	Security Update	Spoofing	Important	4530717
Windows 10 Version 1803 for ARM64-based Systems		4534293	Security Update	Spoofing	Important	4530717
Windows 10 Version 1803 for x64-based Systems		4534293	Security Update	Spoofing	Important	4530717
Windows 10 Version 1809 for 32-bit Systems		4534273	Security Update	Spoofing	Important	4530715
Windows 10 Version 1809 for ARM64-based Systems		4534273	Security Update	Spoofing	Important	4530715
Windows 10 Version 1809 for x64-based Systems		4534273	Security Update	Spoofing	Important	4530715
Windows 10 Version 1903 for 32-bit Systems		4528760	Security Update	Spoofing	Important	4530684
Windows 10 Version 1903 for ARM64-based Systems		4528760	Security Update	Spoofing	Important	4530684
Windows 10 Version 1903 for x64-based Systems		4528760	Security Update	Spoofing	Important	4530684
Windows 10 Version 1909 for 32-bit Systems		4528760	Security Update	Spoofing	Important	4530684
Windows 10 Version 1909 for ARM64-based Systems		4528760	Security Update	Spoofing	Important	4530684
Windows 10 Version 1909 for x64-based Systems		4528760	Security Update	Spoofing	Important	4530684
Windows Server 2016		4534271	Security Update	Spoofing	Important	4530689
Windows Server 2016 (Server Core installation)		4534271	Security Update	Spoofing	Important	4530689
Windows Server 2019		4534273	Security Update	Spoofing	Important	4530715
Windows Server 2019 (Server Core installation)		4534273	Security Update	Spoofing	Important	4530715
Windows Server, version 1803 (Server Core Installation)		4534293	Security Update	Spoofing	Important	4530717
Windows Server, version 1903 (Server Core installation)		4528760	Security Update	Spoofing	Important	4530684
Windows Server, version 1909 (Server Core installation)		4528760	Security Update	Spoofing	Important	4530684

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

FAQ

How can I tell is someone is attempting to use a forged certificate to exploit this vulnerability?

1. After the applicable Windows update is applied, the system will generate Event ID 1 in the Event Viewer after each reboot under Windows Logs/Application when an attempt to exploit a known vulnerability ([CVE-2020-0601] cert validation) is detected.
2. This Event is raised by a User mode process.

Type	Value
Event Log	Windows Logs/Application
Event Source	Audit-CVE
Event ID	1
Certificate Authority	Microsoft ECC Product Root Certificate Authority 2018
SHA1	This data is specific to the certificate in question
Para	This data is specific to the certificate in question
otherPara	This data is specific to the certificate in question

Is there more information from Microsoft regarding CVE-2020-0601?

Yes, please see the blog post released on 1/14/2020.

Acknowledgements

National Security Agency

See acknowledgements for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

Version	Date	Description
1.0	01/14/2020	Information published.
1.1	01/14/2020	Added an FAQ. This is an information change only.

Source: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601