Microsoft Security Updates for January 2020 (commonly known as Patch Tuesday) have been released to the public today. On Monday, there were various grumblings via the Twittersphere about a high profile vulnerability that would be addressed in this upcoming Patch Tuesday update. In this cumulative update 50 CVE's were addressed, along with one notable vulnerability, CVE-2020-0601 (CryptoAPI Spoofing Vulnerability).
First discovered by The United States National Security Agency (NSA) and disclosed to Microsoft, CVE-2020-0601 is a spoofing vulnerability which exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability allows for a certificate to be spoofed code signed, meaning that the malware can be seen as originating from a trusted source. This has serious implications because certificates aren't really stolen or forged, but appear to be legitimate because they chain appropriately ultimately allowing for the bypass of AV endpoints, and any other technological solutions due to the whitelisting of trusted signed files. Furthermore, this vulnerability allows for man-in-the-middle attacks and the decryption of confidential information on affected software.
It is safe to surmise that in the wild exploits will appear after Patch Tuesday, which is commonly known as "Exploit Wednesday" which is a term used within the InfoSec community where attackers try to reverse available patches. Sophisticated threat actors will likely try and leverage this disclosure and add it into their arsenal within the upcoming weeks.
We will continue to update this blog with any further relevant updates once available. For further information and guidance please view the reference section at the end of this document.
What versions of software are affected?
This vulnerability affects Windows 10, Windows Server 2016, Windows Server 2019 platforms. Regarding available mitigation, if automatic updates are turned off, it is highly recommended to apply this month's update as soon as possible, if feasible.
Have there been reports of in the wild exploitation?
No. According to the Microsoft advisory, there have not been any reports of ITW exploitation. However, it is expected that attackers will try and reverse engineer this vulnerability disclosure to attack unpatched machines.
What is the status of AV and IPS coverage?
Fortinet customers running the latest definitions set (15.757) are currently protected against CVE-2020-0601 by our IPS signature:
AV coverage is not feasible for this event.