UPDATE: ICS Considerations for Windows Cryptographic Vulnerability (CVE-2020-0601)

Posting ID 122323
Date Added: 1/15/2020
Date Modified: 1/16/2020
Jeff Jones | E-ISAC Staff

Description

--- UPDATE ---

Open source reporting [hXXps://www.zdnet.com/article/proof-of-concept-exploits-published-for-the-microsoft-nsa-crypto-bug/] has announced that several security researchers have published proof-of-concept code to exploit the recently-announced CVE-2020-0601 vulnerability of the Microsoft Windows CryptoAPI (Crypt32.dll). 

 

The published tools are available at:

https://github.com/kudelskisecurity/chainoffools

https://github.com/ollypwn/cve-2020-0601

--- END OF UPDATE ---

 

As part of its ‘Patch Tuesday’ release, on January 14, 2020 Microsoft released a patch to mitigate an improper certificate validation vulnerability in the crypt32.dll Crypto API (tracked as CVE-2020-0601) in Microsoft Windows 10, and Microsoft Server 2016 and 2019. The Crypto API is used by software that verifies signed code and TLS. The E-ISAC recommends that organizations test and apply these patches to affected systems as soon as possible throughout their enterprise IT environments, consistent with established change management practices for deployment of urgent software updates.

The E-ISAC recognizes that industrial and operational technology environments pose unique challenges for system administrators in urgent, critical patch situations. We advise members to familiarize themselves with the Advisories from Microsoft, the NSA, and CISA in detail, then work closely with their leadership and system vendors to follow established risk-based methodologies to evaluate each of your environments’ defense-in-depth strategies.

Where possible, apply these patches as soon as you can and within accepted change management windows, and prioritize critical assets according to the Advisories giving particular consideration to hosts exposed to external networks. In situations where the patches cannot be immediately applied, we advise close collaboration between system administrators and operational support/system owners to examine network architectures to ensure appropriate system segmentation, visibility for network security monitoring capability, log management and review ability, multi-factor authentication for remote and sensitive system access, verification/validation of software updates, and endpoint protection (where applicable). We advise taking a close look at ICS architectures to ensure that only systems that need to communicate with one another do so, restrict anything outside of that, and configure alerting to identify any communications, system access and behaviors, and privilege escalations outside expected norms. 

If you need further assistance with mitigation strategies and critical infrastructure best practices, don’t hesitate to contact the E-ISAC.

Bulletin Type:
Cyber Bulletin
Category Type:
Cyber Security
Impact:
High
Urgency:
Immediate
Purpose:
Situation Awareness
TLP - White
Shared Count (26)
  • Advanced Portal Users Group
  • ANL
  • Canadian CERTs
  • CRISP - Cyber Risk Info Sharing Program
  • DHS - NICC, NCCIC, US-CERT, etc
  • DNG-ISAC
  • DNG-ISAC Portal
  • DOD
  • DOE Complex
  • E-ISAC Administrators
  • E-ISAC AOO Members
  • E-ISAC Staff
  • ESCC, including SEWG
  • FBI, LE Fusion
  • FERC - OEIS, etc
  • FS-ISAC
  • International (other ISACs, CERTs)
  • International AOOs
  • MS-ISAC
  • NERC PR
  • ONG-ISAC
  • Other (inc. local/state commissions)
  • ThreatConnect Pilot Program
  • Trade Organizations
  • Watch Floor
  • WaterISAC
Change History
  • Admin, 01/16/2020
  • Jeff Jones, 01/15/2020