What triggered intel agency’s disclosure of flaw that undermines internet trust?
Microsoft fixed a serious cryptographic flaw that made it possible to forge digital certificates as part of its first Patch Tuesday release of 2020.
The Windows CryptoAPI spoofing vulnerability (CVE-2020-0601) was reported to Microsoft by the US National Security Agency (NSA).
The Windows CryptoAPI module provides services for encrypting and decrypting data. The spoofing vulnerability arose from shortcomings in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
The security vulnerability affects Windows 10 and Windows Server 2016/2019, as well as applications that rely on Windows for trust functionality.
Microsoft warned the flaw could be abused to make malicious code appear as if it was signed by a trusted source, or to mount man-in-the-middle attacks.
In its advisory (PDF), the NSA warned that trust in HTTPS connections might also be affected by the vulnerability.
A website might abuse the bug to impersonate a valid website as part of a technically sophisticated phishing attack, the agency said.
Neither the NSA nor Microsoft report any exploits in the wild, although both were emphatic in their recommendation of prompt triage.
The NSA warns that foreign intel agencies and governments are likely to develop exploits in order to target unpatched systems.
“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the intel agency warns.
“The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.
“Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners,” it added.
Amit Yoran, chairman and chief executive at Tenable and founding director of the United States Computer Emergency Readiness Team (US-CERT) program within the US Department of Homeland Security, said the discovery of the flaw by the NSA and the pre-announcement availability of patches opened up some as-yet unanswered questions.
“For the US government to share its discovery of a critical vulnerability with a vendor is exceptionally rare, if not unprecedented,” Yoran said.
“It underscores the criticality of the vulnerability and we urge all organisations to prioritize patching their systems quickly.
He added: “The fact that Microsoft provided a fix in advance to US government and other customers which provide critical infrastructure is also highly unusual. These are clearly noteworthy shifts from regular practices and make this vulnerability worth paying attention to and also worth asking questions about.
“How long ago was the vulnerability discovered? How long did it take from discovery to reporting? Was it used by the NSA? Has it been observed being used by foreign intelligence services already? What triggered the vendor disclosure? None of these questions change what organisations need to do at this point to protect themselves, but their answers might tell us a lot more about the environment we operate in.”
Tuesday’s release marked the last time Microsoft will publish free security updates for Windows 7, which reached end-of-life status on January 14.
The January Patch Tuesday batch also includes fixes for two BlueKeep-like critical vulnerabilities in Windows Remote Desktop Gateway.
Additional commentary – and a patch dashboard – for this month Patch Tuesday can be found in a blog post by the SANS Institute’s Internet Storm Centre.