ACSC urges businesses to patch cert validation vulnerability

Patch certificate validation, Remote Desktop vulnerabilities ‘urgently’, ACSC says

security shield keyhole and circuits

The Australian Cyber Security Centre (ACSC) has issued an advisory calling for Windows users to urgently apply a Microsoft patch that addresses a certificate validation vulnerability.

The US National Security Agency reported the vulnerability, designated CVE-2020-0601, to Microsoft, and a fix was included in the vendor’s latest Patch Tuesday release. The certificate validation vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality, the NSA said in its advisory (PDF).

“It is critical for enterprises to apply the patch fully across their Windows 10 and Server 2016 installed base; attackers excel at finding vulnerable targets,” Neal Ziring, the technical director of the agency’s cybersecurity directorate, warned.

Microsoft said it had categorised the vulnerability in CRYPT32.DLL as “important”, saying that it had not seen it used in active attacks. The software vendor's patch for CVE-2020-0601 creates an ID 1 event in the Windows Application event log when an attempt is made to exploit the vulnerability.

The spoofing vulnerability related to how the Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates, Microsoft’s advisory said.

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.

“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

“A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”

The NSA in its advisory said it assessed the vulnerability “to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.”

“The consequences of not patching the vulnerability are severe and widespread,” the NSA said.

Ziring said in his blog entry that NSA contributed to addressing the CVE-2020-0601 “by discovering and characterizing the vulnerability, and then sharing with Microsoft quickly and responsibly.”

The ACSC’s advisory also highlighted Microsoft’s patches for two Windows Remote Desktop Gateway remote code execution vulnerabilities and an RCE for Windows Remote Desktop Client.

The NSA’s role in alerting Microsoft to CVE-2020-0601 could once more put the US government’s Vulnerabilities Equity Process (PDF) in the spotlight.

The document sets out “whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge of the vulnerability to the USG, and potentially other partners, so that it can be used for national security and law enforcement purposes, such as intelligence collection, military operations, and/or counterintelligence.”

The NSA’s EternalBlue blue exploit, released in a public dump by Shadow Brokers in 2017, was employed by the WannaCry ransomware and later by NotPetya.

Chris Morales, head of security analytics, at Vectra AI paid tribute to the NSA for alerting Microsoft to CVE-2020-0601 and for the vendor for quickly rolling out a fix.

“I'd be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past,” Morales said in a statement.

“It could be because many of those previous tools leaked and have caused widespread damage across multiple organisations. It could be because there was concern others would find this vulnerability themselves and it was dangerous enough to warrant remediation instead of weaponising. Or it just could be the NSA already has enough other methods for compromising a Windows system and doesn’t need it."

The Australian Signals Directorate (ASD), which leads the ACSC, in March 2019 for the first time made public its own decision-making process for deciding whether to release or hold back details of a security vulnerability.

The ASD’s “responsible release framework for cyber security vulnerabilities” is guided by eight key principles. That includes an assessment of the likelihood that a malicious actor will exploit the weakness and the impact if one does so.

When a vulnerability is retained the agency says it will work to mitigate any threat to Australian systems, for example through the release of security advice that can address the issue.

ASD decisions to retain vulnerabilities are subject to quarterly internal reviews by the agency’s director-general, and an annual report is prepared for the Inspector-General of Intelligence and Security and also transmitted to the defence minister.


Copyright © 2020 IDG Communications, Inc.

Shop Tech Products at Amazon