Show vulnerabilities with patch / with exploit

Spoofing attack in Microsoft Windows CryptoAPI



Published: 2020-01-14 | Updated: 2020-01-17
Severity High
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2020-0601
CWE ID CWE-451
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerable software
Subscribe
Windows
Operating systems & Components / Operating system

Windows Server
Operating systems & Components / Operating system

Vendor Microsoft

Security Advisory

UPDATED: 17.01.2020
Added information about in the wild exploitation of the vulnerability, updated CVSS score and references section.

1) Spoofing attack

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-0601

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. A remote attacker can use a spoofed code-signing certificate to sign a malicious executable, make it appear the file was from a trusted, legitimate source, trick a victim to open it and gain access to sensitive information.

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

Updated
According to VirusTotal, there is in the wild exploitation of his vulnerability as of January 17, 2020.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 10, 10 1607, 10 1709, 10 1803, 10 1809, 10 1903, 10 1909

Windows Server: 1803, 1903, 1909, 2016, 2019

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
https://www.virustotal.com/gui/file/d6ab910259c9bc68196aeec3e9ff4864bada22738c02ecf5ada7912ced292d28...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.