UPDATE: NSA Cybersecurity Advisory: CVE-2020-0601 Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers

Posting ID 122293
Date Added: 01/14/2020 2:21 PM EST
Date Modified: 01/16/2020 10:52 AM EST
Carlo Castaneda | E-ISAC Staff

Description

--- UPDATE ---

Open source reporting [hXXps://www.zdnet.com/article/proof-of-concept-exploits-published-for-the-microsoft-nsa-crypto-bug/] has indicated that several security researchers have published proof-of-concept code to exploit the recently-announced CVE-2020-0601 vulnerability of the Microsoft Windows CryptoAPI (Crypt32.dll). 

 

The published tools are available at:

https://github.com/kudelskisecurity/chainoffools

https://github.com/ollypwn/cve-2020-0601

--- END OF UPDATE ---

 

NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.

This Advisory is tied to E-ISAC APB 20-01

Additional links:

hXXps://msrc-blog.microsoft.com/2020/01/14/january-2020-security-updates-cve-2020-0601/

hXXps://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2056772/a-very-important-patch-tuesday/

https://www.eisac.com/portal-home/cyber-bulletin-detail?id=122284 

 

Bulletin Type:
Cyber Bulletin
Category Type:
Cyber Security
Impact:
High
Urgency:
Immediate
Purpose:
Situation Awareness
TLP - White
Shared Count (28)
  • Advanced Portal Users Group
  • ANL
  • Canadian CERTs
  • CRISP - Cyber Risk Info Sharing Program
  • DHS - NICC, NCCIC, US-CERT, etc
  • DNG-ISAC
  • DNG-ISAC Portal
  • DOD
  • DOE Complex
  • E-ISAC Administrators
  • E-ISAC AOO Members
  • E-ISAC Staff
  • ESCC, including SEWG
  • FBI, LE Fusion
  • FERC - OEIS, etc
  • FS-ISAC
  • International (other ISACs, CERTs)
  • International AOOs
  • Malware Submissions
  • MS-ISAC
  • NERC PR
  • ONG-ISAC
  • Other (inc. local/state commissions)
  • Portal Feedback
  • ThreatConnect Pilot Program
  • Trade Organizations
  • Watch Floor
  • WaterISAC
Change History
  • Admin, 01/16/2020