Microsoft reportedly acted on an NSA warning creating and issuing a secret out-of-band patch to the military and other high-value targets fixing CVE-2020-0601, a vulnerability affecting a core cryptographic component present in all versions of Windows.
Published reports stated that the NSA informed Microsoft of the vulnerability and this knowledge enabled Microsoft to quickly fix the problem and push out a patch, which was released to the general public today. Cybersecurity execs called the vulnerability a potential "force multiplier" for an attack and heaped praise on the NSA for telling Microsoft, a move that has not always taken place previously.
Synopsis said the patch for CVE-2020-0601 for the crypt32.dll was pushed out prior to today’s normal Patch Tuesday security rollout, although at this time the security firm does not have many details on the vulnerability itself.
“This is serious news, as the crypt32.dll is a module needed for securing the Microsoft Operating Systems. We still don’t know precisely what the bug is and how easily it could be exploited, as that hasn’t been fully disclosed yet, but there are some pointers online that can give us an idea,” said Boris Cipot, a senior security engineer with Synopsys.
Renaud Deraison, co-founder and CTO, Tenable, fully expects cybercriminals intent on ransomware and phishing attacks to take advantage of this vulnerability, adding that it is an excellent turn of events that the NSA informed Microsoft. However, with the security patch in place computer's can be secured.
“CVE-2020-0601 hits at the very trust we have in today's digital computing environments -- trust to authenticate binaries and trust that our ciphered communications are properly protected. The flaw would enable an attacker, among other things, to exploit how Windows verifies cryptographic trust, enabling them to deliver executable code and making it look like it came from a trusted source,” he said.
Cipot strongly recommended implementing the crypt32.dll patch as soon as its available and he also warned that malicious actors may attempt to take advantage of this issue, but perhaps not in the way one would expect, and to only download an update from Microsoft’s Update and Security section in Windows 10.
The fact that the NSA reported this to Microsoft, unlike Eternal Blue, was an interesting move, said Rick Holland, CISO, vice president of strategy at Digital Shadows.
“I’d be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past. It could be because many of those previous tools leaked and have caused widespread damage across multiple organizations. It could be because there was a concern others would find this vulnerability themselves and it was dangerous enough to warrant remediation instead of weaponizing,” he said.
Automox’s Senior Technical Product Manager Richard Melick optimistically hoped the NSA’s actions in this case indicate a sign of growth at an agency that is better known in cyber circles for hoarding vulnerabilities for use against enemies.
“While it is relatively uncommon for a vulnerability of this severity to make it through the NSA's Equities process and not be weaponized and kept secret for its offensive capabilities, it does allude to a possible shift in mentality. The agency has caught a lot of bad publicity with recent ransomware infections that were made possible by EternalBlue in cities such as Baltimore and Atlanta,” he said.
“Importantly, users are also urged not to trust website or emails with links that offer patches for the crypot32.dll. Phishers prey on announcements of security flaws and design campaigns aimed at exploiting people’s desire to patch a vulnerability as soon as possible,” he said.
This is in addition to a very busy Patch Tuesday for Microsoft which saw it start to wind down support for Windows 7 and roll out patches for 47 vulnerabilities, seven rated as critical.
Jimmy Graham, Qualys’ director of product management, pointed out Win32k patches CVE-2019-1468 and CVE-2019-145 for workstations and the remote code execution vulnerability CVE-2019-1471 is patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system.
CVE-2019-1349 and CVE-2019-1469 were at the top of Melick’s list with the former receiving needing to receive an extra bit of attention.
“CVE-2019-1349 is a remote code execution exploit that exists when Git for Visual Studio client improperly sanitizes input. As Visual Studio is one of the most popular development environments used today to design and build applications, this exploit puts engineering organizations on the front lines of a potential attack,” he said.
Some of the critical rated issues are remote code execution problems in CVE-2020-0603, in ASP.NET Core; CVE-2020-0605 in various versions of Microsoft .NET Framework and CVE-2020-0609 in Windows Server 2019, 2016, 2012 and 2012 R2.