Microsoft has recently released a patch for a severe vulnerability affecting Windows 10, and Windows Server 2016 and 2019, as predicted by Brian Krebs amongst others on Monday 13 January 2020.
The flaw, assigned the CVE identifier CVE-2020-0601, involves one of the most basic components of the Windows API, CryptoAPI, which is typically used to perform cryptographic operations by Windows itself and the software running on it, such as verifying signed EXE files, and the certificate of HTTPS connections.
To be more precise, the vulnerability resides in the way CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates, which allow an attacker to spoof the validity of certificate chains, allowing him, for example, to trick Windows into thinking that an executable has been code-signed by a proper certification authority.
ECC certificates are used in plenty of applications, because they provide several advantages over RSA, such as stronger keys yet smaller keys, allowing for smaller certificates and preserving computing power:
For example, a 256-bit ECC key is equivalent to a 3072-bit RSA key and a 384-bit ECC key is equivalent to a 7680-bit RSA key [Source]
Since Microsoft rolled out the patch for the vulnerability, several researchers have explained how the vulnerability works, and some have even provided POCs [Source], such as creating code-signed exe files.
The explanations of these researchers allow almost anyone to reproduce the vulnerability, and some users have already gone as far as to release working code that allow anyone to create their own code-signed executable.
The following captures show the signature verification of a code-signed malicious executable (to be more precise, a Hawkeye Reborn sample) before and after the patch, created with one of the aforementioned scripts:
This allows a malicious or a tampered executable to supplant legitimate software, making Windows and the user trust its contents as if it were the original thing.
Other PoCs involve the potential applications of the vulnerability in Man-in-the-Middle attacks, which allows an attacker to impersonate a legitimate website, duping Windows into trusting the connection:
PoC of man-in-the-middle by @saleemrash1d [Source]
The attack will work on those browsers that use CryptoAPI to perform certificate validations, such as Google Chrome or Edge. Software using their own crypto libraries, such as Firefox, are not affected.
VirusTotal already detects applications signed using this technique, and tags them with the appropriate CVE ID:
VirusTotal results for a file signed using CVE-2020-0601
Thankfully the vulnerability was disclosed safely to Microsoft by the NSA, and so it did not become public knowledge until the patch was rolled out to affected systems.
Needless to say, we advise all users to update your systems on this occasion, but it should be noted that even if the vulnerabilities rolled in a patch do not become as well-known as CVE-2020-0601, threat actors can and will use them for malicious purposes.
Keeping all your software up to date is one of the best cyber-hygiene practices there is to protect yourself against both known and unknown threats.
We have previously published a technical blog surrounding CryptoAPI in malware. You can read it here.