The U.S. National Security Agency (NSA) has informed Microsoft that Windows is affected by a potentially serious spoofing vulnerability that could allow hackers to make a malicious file appear to come from a trusted source or conduct man-in-the-middle (MitM) attacks.
The NSA reached out to reporters to inform them about the vulnerability before Microsoft released its patches. The agency led many to believe that the flaw was highly critical, but some experts say it’s less serious than they expected.
The vulnerability, tracked as CVE-2020-0601, impacts Windows 10, Server 2016 and Server 2019, but applications that rely on Windows for trust functionality are also affected. There is no evidence that it has been exploited in attacks.
Microsoft, which has rated the vulnerability “important,” says it exists in the way the CryptoAPI (Crypt32.dll) component in Windows validates Elliptic Curve Cryptography (ECC) certificates. The company says it can allow an attacker to sign malicious files using a spoofed code-signing certificate, which makes the file appear as if it’s coming from a trusted source.
An attacker could also conduct MitM attacks and obtain sensitive information from the targeted connection.
The NSA has described the vulnerability as critical and pointed out that it could impact trust in HTTPS connections, signed files and emails, and signed executable code.
“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available,” the NSA said in its advisory.
The agency said that exploitation of the vulnerability could lead to remote code execution. However, experts have pointed out that code execution cannot be achieved directly through CVE-2020-0601.
“When NSA says CVE-2020-0601 enables Remote Code Execution, they mean that trusted communication channels like automatic update downloads and non-validated input between systems could be modified in-transit by a MitM, to cause RCE or other malevolent ends,” the researcher who uses the online moniker SwiftOnSecurity explained on Twitter.
SwiftOnSecurity noted that the vulnerability could be highly useful to a nation-state actor that can compromise the network infrastructure of its adversaries.
“The gravest impacts of this are established societal and industrial infrastructure. Bank communications. Infrastructure control. Heavy industry,” the researcher said.
Johannes Ullrich of the SANS Technology Institute also commented on the severity of the flaw, noting that it can have a serious impact on endpoint security in some cases.
“If you are having issues with your users enabling macros in Office documents they receive from untrusted sources and if nothing blocks them from downloading and execute malware: Don’t worry. You are not validating signatures anyway. However, if you have an endpoint solution that blocks users from running untrusted code: You likely need to worry and apply this patch quickly,” Ullrich explained in a blog post. “This library is used by pretty much all Windows software that deals with encryption and digital signatures. This flaw is likely going to affect a lot of third party software as well, not just software written by Microsoft.”
The NSA has openly admitted that it does not disclose all of the vulnerabilities it finds, but security blogger Brian Krebs learned from sources that this is the first of many security flaws the NSA plans on disclosing to affected vendors and the public as part of a new initiative.
“I’d be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past. It could be because many of those previous tools leaked and have caused widespread damage across multiple organizations. It could be because there was a concern others would find this vulnerability themselves and it was dangerous enough to warrant remediation instead of weaponizing,” Chris Morales, head of security analytics at Vectra, told SecurityWeek. “Or it just could be the NSA already has enough other methods for compromising a Windows system and doesn’t need it.”
SwiftOnSecurity also has a theory on why the NSA disclosed the vulnerability: “This is a fast-checkmate flaw for a hugely resourced and patient global actor like the NSA, but it’s a far greater systemic threat to the United States, which explains why this was properly disclosed to Microsoft.”
Microsoft’s Patch Tuesday updates for January 2020 address nearly 50 vulnerabilities, including several critical RDP-related issues. However, none of the flaws have been exploited in the wild or disclosed to the public before patches were released.