TODO: Install the January 2020 Cumulative Update in your networking infrastructure

Reading Time: 2 minutes

Windows Server

This Tuesday, Microsoft released an update that fixes a critical vulnerability in Windows and Windows Server. I urge you to install this update as soon as possible.

 

About the vulnerability

The vulnerability, labeled CVE-2020-0601 was responsibly disclosed by the NSA to Microsoft. It is dubbed ‘NSACrypt’.

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

Any software, including third-party non-Microsoft software, that relies on the Windows CertGetCertificateChain() function to determine if an X.509 certificate can be traced to a trusted root Certification Authority may incorrectly determine the trustworthiness of a certificate chain.

Microsoft Windows versions that support certificates with ECC keys that specify parameters are affected. This includes Windows 10 as well as Windows Server 2016 and 2019.

Note:
Windows 8.1 and prior, as well as the Server 2012 R2 and prior counterparts, do not support ECC keys with parameters. For this reason, such certificates that attempt to exploit this vulnerability are inherently untrusted by older Windows versions.

By exploiting this vulnerability, an attacker may be able to spoof a valid X.509 certificate chain on a vulnerable Windows system. This may allow various actions including, but not limited to, interception and modification of TLS-encrypted communications or spoofing an Authenticode signature. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

 

About the update

The following security updates address the vulnerability by ensuring that Windows’ CryptoAPI completely validates Elliptic Curve Cryptography (ECC)certificates:

Windows 10 version 1607 KB4534271
Windows 10 version 1709 KB4534276
Windows 10 version 1803 KB4534293
Windows 10 version 1809 KB4534273
Windows 10 version 1903 KB4528760
Windows Server 2016 KB4534271
Windows Server 2019 KB4534273
Windows Server, version 1803 KB4534293
Windows Server, version 1903 KB4538760
Windows Server, version 1909 KB4538760

A system restart is required after you apply this security update.

After the applicable Windows update is applied, the system will generate Event ID 1 in the Event Viewer after each reboot under Windows Logs/Application when an attempt to exploit a known vulnerability ([CVE-2020-0601] cert validation) is detected

 

NON-SECURITY-RELATED FIXES THAT ARE INCLUDED IN THIS SECURITY UPDATE

This security update also addresses an issue to support new SameSite cookie policies by default for release 80 of Google Chrome.

 

MITIGATING FACTORS

Microsoft has not identified any mitigating factors for this vulnerability.

 

WORKAROUNDS

Microsoft has not identified any workarounds for this vulnerability..

 

Call to action

I urge you to install the necessary security updates on systems in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to systems in the production environment.

From our tests, we concluded that there was no negative impact, but we have updated our systems and our customers’ systems monthly. As this is a cumulative update, all fixes, addressing all vulnerabilities between the last cumulative update, or the release of the Operating System will be applied.

 

FURTHER READING

National Vulnerability Database: CVE-2020-0601

CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability
January 2020 Security Updates: CVE-2020-0601
Microsoft Windows CryptoAPI fails to properly validate ECC certificate chains

2 Responses to TODO: Install the January 2020 Cumulative Update in your networking infrastructure

  1.  

    Typo in your title, it's 2020! 🙂

  2.