Contents
Security Vulnerability
Published: 01/14/2020 | Last Updated : 01/14/2020
MITRE CVE-2020-0601On this page
- Executive Summary
- Exploitability Assessment
- Security Updates
- Mitigations
- Workarounds
- FAQ
- Acknowledgements
- Disclaimer
- Revisions
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
| Publicly Disclosed | Exploited | Latest Software Release | Older Software Release | Denial of Service |
|---|---|---|---|---|
| No | No | 1 – Exploitation More Likely | 1 – Exploitation More Likely | N/A |
| Product | Platform | Article | Download | Impact | Severity | Supersedence |
|---|---|---|---|---|---|---|
| Windows 10 for 32-bit Systems | 4534306 | Security Update | Spoofing | Important | 4530681 | |
| Windows 10 for x64-based Systems | 4534306 | Security Update | Spoofing | Important | 4530681 | |
| Windows 10 Version 1607 for 32-bit Systems | 4534271 | Security Update | Spoofing | Important | 4530689 | |
| Windows 10 Version 1607 for x64-based Systems | 4534271 | Security Update | Spoofing | Important | 4530689 | |
| Windows 10 Version 1709 for 32-bit Systems | 4534276 | Security Update | Spoofing | Important | 4530714 | |
| Windows 10 Version 1709 for ARM64-based Systems | 4534276 | Security Update | Spoofing | Important | 4530714 | |
| Windows 10 Version 1709 for x64-based Systems | 4534276 | Security Update | Spoofing | Important | 4530714 | |
| Windows 10 Version 1803 for 32-bit Systems | 4534293 | Security Update | Spoofing | Important | 4530717 | |
| Windows 10 Version 1803 for ARM64-based Systems | 4534293 | Security Update | Spoofing | Important | 4530717 | |
| Windows 10 Version 1803 for x64-based Systems | 4534293 | Security Update | Spoofing | Important | 4530717 | |
| Windows 10 Version 1809 for 32-bit Systems | 4534273 | Security Update | Spoofing | Important | 4530715 | |
| Windows 10 Version 1809 for ARM64-based Systems | 4534273 | Security Update | Spoofing | Important | 4530715 | |
| Windows 10 Version 1809 for x64-based Systems | 4534273 | Security Update | Spoofing | Important | 4530715 | |
| Windows 10 Version 1903 for 32-bit Systems | 4528760 | Security Update | Spoofing | Important | 4530684 | |
| Windows 10 Version 1903 for ARM64-based Systems | 4528760 | Security Update | Spoofing | Important | 4530684 | |
| Windows 10 Version 1903 for x64-based Systems | 4528760 | Security Update | Spoofing | Important | 4530684 | |
| Windows 10 Version 1909 for 32-bit Systems | 4528760 | Security Update | Spoofing | Important | 4530684 | |
| Windows 10 Version 1909 for ARM64-based Systems | 4528760 | Security Update | Spoofing | Important | 4530684 | |
| Windows 10 Version 1909 for x64-based Systems | 4528760 | Security Update | Spoofing | Important | 4530684 | |
| Windows Server 2016 | 4534271 | Security Update | Spoofing | Important | 4530689 | |
| Windows Server 2016 (Server Core installation) | 4534271 | Security Update | Spoofing | Important | 4530689 | |
| Windows Server 2019 | 4534273 | Security Update | Spoofing | Important | 4530715 | |
| Windows Server 2019 (Server Core installation) | 4534273 | Security Update | Spoofing | Important | 4530715 | |
| Windows Server, version 1803 (Server Core Installation) | 4534293 | Security Update | Spoofing | Important | 4530717 | |
| Windows Server, version 1903 (Server Core installation) | 4528760 | Security Update | Spoofing | Important | 4530684 | |
| Windows Server, version 1909 (Server Core installation) | 4528760 | Security Update | Spoofing | Important | 4530684 |
Mitigations
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
FAQ
How can I tell is someone is attempting to use a forged certificate to exploit this vulnerability?
- After the applicable Windows update is applied, the system will generate Event ID 1 in the Event Viewer after each reboot under Windows Logs/Application when an attempt to exploit a known vulnerability ([CVE-2020-0601] cert validation) is detected.
- This Event is raised by a User mode process.
| Type | Value |
|---|---|
| Event Log | Windows Logs/Application |
| Event Source | Audit-CVE |
| Event ID | 1 |
| Certificate Authority | Microsoft ECC Product Root Certificate Authority 2018 |
| SHA1 | This data is specific to the certificate in question |
| Para | This data is specific to the certificate in question |
| otherPara | This data is specific to the certificate in question |
Is there more information from Microsoft regarding CVE-2020-0601?
Yes, please see the blog post released on 1/14/2020.
Acknowledgements
National Security Agency
See acknowledgements for more information.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
| Version | Date | Description |
|---|---|---|
| 1.0 | 01/14/2020 | Information published. |
| 1.1 | 01/14/2020 | Added an FAQ. This is an information change only. |
Source: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601