CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability

Security Vulnerability

Published: 01/14/2020 | Last Updated : 01/14/2020
MITRE CVE-2020-0601On this page

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

Publicly DisclosedExploitedLatest Software ReleaseOlder Software ReleaseDenial of Service
NoNo1 – Exploitation More Likely1 – Exploitation More LikelyN/A
Product PlatformArticleDownloadImpactSeveritySupersedence
Windows 10 for 32-bit Systems4534306Security UpdateSpoofingImportant4530681
Windows 10 for x64-based Systems4534306Security UpdateSpoofingImportant4530681
Windows 10 Version 1607 for 32-bit Systems4534271Security UpdateSpoofingImportant4530689
Windows 10 Version 1607 for x64-based Systems4534271Security UpdateSpoofingImportant4530689
Windows 10 Version 1709 for 32-bit Systems4534276Security UpdateSpoofingImportant4530714
Windows 10 Version 1709 for ARM64-based Systems4534276Security UpdateSpoofingImportant4530714
Windows 10 Version 1709 for x64-based Systems4534276Security UpdateSpoofingImportant4530714
Windows 10 Version 1803 for 32-bit Systems4534293Security UpdateSpoofingImportant4530717
Windows 10 Version 1803 for ARM64-based Systems4534293Security UpdateSpoofingImportant4530717
Windows 10 Version 1803 for x64-based Systems4534293Security UpdateSpoofingImportant4530717
Windows 10 Version 1809 for 32-bit Systems4534273Security UpdateSpoofingImportant4530715
Windows 10 Version 1809 for ARM64-based Systems4534273Security UpdateSpoofingImportant4530715
Windows 10 Version 1809 for x64-based Systems4534273Security UpdateSpoofingImportant4530715
Windows 10 Version 1903 for 32-bit Systems4528760Security UpdateSpoofingImportant4530684
Windows 10 Version 1903 for ARM64-based Systems4528760Security UpdateSpoofingImportant4530684
Windows 10 Version 1903 for x64-based Systems4528760Security UpdateSpoofingImportant4530684
Windows 10 Version 1909 for 32-bit Systems4528760Security UpdateSpoofingImportant4530684
Windows 10 Version 1909 for ARM64-based Systems4528760Security UpdateSpoofingImportant4530684
Windows 10 Version 1909 for x64-based Systems4528760Security UpdateSpoofingImportant4530684
Windows Server 20164534271Security UpdateSpoofingImportant4530689
Windows Server 2016 (Server Core installation)4534271Security UpdateSpoofingImportant4530689
Windows Server 20194534273Security UpdateSpoofingImportant4530715
Windows Server 2019 (Server Core installation)4534273Security UpdateSpoofingImportant4530715
Windows Server, version 1803 (Server Core Installation)4534293Security UpdateSpoofingImportant4530717
Windows Server, version 1903 (Server Core installation)4528760Security UpdateSpoofingImportant4530684
Windows Server, version 1909 (Server Core installation)4528760Security UpdateSpoofingImportant4530684

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

FAQ

How can I tell is someone is attempting to use a forged certificate to exploit this vulnerability?

  1. After the applicable Windows update is applied, the system will generate Event ID 1 in the Event Viewer after each reboot under Windows Logs/Application when an attempt to exploit a known vulnerability ([CVE-2020-0601] cert validation) is detected.
  2. This Event is raised by a User mode process.
TypeValue
Event LogWindows Logs/Application
Event SourceAudit-CVE
Event ID1
Certificate AuthorityMicrosoft ECC Product Root Certificate Authority 2018
SHA1This data is specific to the certificate in question
ParaThis data is specific to the certificate in question
otherParaThis data is specific to the certificate in question

Is there more information from Microsoft regarding CVE-2020-0601?

Yes, please see the blog post released on 1/14/2020.

Acknowledgements

National Security Agency

See acknowledgements for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

VersionDateDescription
1.001/14/2020Information published.
1.101/14/2020Added an FAQ. This is an information change only.

Source: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

CryptoAPICVE-2020-0601SpoofingWindows 10
Comments (0)
Add Comment