This Tuesday, Microsoft released an update that fixes a critical vulnerability in Windows and Windows Server. I urge you to install this update as soon as possible.
About the vulnerability
The vulnerability, labeled CVE-2020-0601 was responsibly disclosed by the NSA to Microsoft. It is dubbed ‘NSACrypt’.
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
Any software, including third-party non-Microsoft software, that relies on the Windows CertGetCertificateChain() function to determine if an X.509 certificate can be traced to a trusted root Certification Authority may incorrectly determine the trustworthiness of a certificate chain.
Microsoft Windows versions that support certificates with ECC keys that specify parameters are affected. This includes Windows 10 as well as Windows Server 2016 and 2019.
Windows 8.1 and prior, as well as the Server 2012 R2 and prior counterparts, do not support ECC keys with parameters. For this reason, such certificates that attempt to exploit this vulnerability are inherently untrusted by older Windows versions.
By exploiting this vulnerability, an attacker may be able to spoof a valid X.509 certificate chain on a vulnerable Windows system. This may allow various actions including, but not limited to, interception and modification of TLS-encrypted communications or spoofing an Authenticode signature. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
About the update
The following security updates address the vulnerability by ensuring that Windows’ CryptoAPI completely validates Elliptic Curve Cryptography (ECC)certificates:
|Windows 10 version 1607||KB4534271|
|Windows 10 version 1709||KB4534276|
|Windows 10 version 1803||KB4534293|
|Windows 10 version 1809||KB4534273|
|Windows 10 version 1903||KB4528760|
|Windows Server 2016||KB4534271|
|Windows Server 2019||KB4534273|
|Windows Server, version 1803||KB4534293|
|Windows Server, version 1903||KB4538760|
|Windows Server, version 1909||KB4538760|
A system restart is required after you apply this security update.
After the applicable Windows update is applied, the system will generate Event ID 1 in the Event Viewer after each reboot under Windows Logs/Application when an attempt to exploit a known vulnerability ([CVE-2020-0601] cert validation) is detected
NON-SECURITY-RELATED FIXES THAT ARE INCLUDED IN THIS SECURITY UPDATE
This security update also addresses an issue to support new SameSite cookie policies by default for release 80 of Google Chrome.
Microsoft has not identified any mitigating factors for this vulnerability.
Microsoft has not identified any workarounds for this vulnerability..
Call to action
I urge you to install the necessary security updates on systems in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to systems in the production environment.
From our tests, we concluded that there was no negative impact, but we have updated our systems and our customers’ systems monthly. As this is a cumulative update, all fixes, addressing all vulnerabilities between the last cumulative update, or the release of the Operating System will be applied.