Executive Summary: Microsoft’s latest Patch Tuesday includes a fix to address a vulnerability in Windows CryptoAPI, specifically in crypt32.dll, which implements “Certificate and Cryptographic messaging functions in the CryptoAPI”. This would allow an attacker to spoof a code-signing certificate, enabling them to sign malicious executables, masquerade as legitimate websites and perform man-in-the-middle attacks [1,2].
Certificates are relied upon particularly by security professionals and antivirus software to ensure that executables being run have been developed and published by a legitimate software developer and are not malware masquerading as a legitimate application.
This Windows CryptoAPI vulnerability means that an attacker could forge a certificate, allowing them to make code and websites look like they were signed by a trusted source. A user looking at the certificate would not be able to discern the difference between the forged certificate and the legitimate one. Certificates ensure that when a user connects to a website, they are visiting the intended website and not a fake website created by an adversary. It also means that there is not a malicious actor sitting in the middle of the connection, watching all of the user’s activity in a man-in-the-middle attack scenario.
Microsoft have, understandably, not released the technical details of how to exploit the vulnerability. Currently no proof of concept has been published and the vulnerability is not known to be exploited in the wild. However, the vulnerability was disclosed to Microsoft by the National Security Agency (NSA).
The NSA has been criticised publicly for exploiting zero-day vulnerability themselves without disclosing them to vendors , but have decided to disclose this vulnerability before other adversaries become aware of it and begin utilising it. The exploit used by WannaCry to infect hundreds of thousands of computers in 2017, ‘Eternal Blue’, was originally used by the NSA before it was stolen by the Shadow Brokers group and leaked to the public. The disclosure to Microsoft in this case will help prevent a similar scenario occurring again.
ITC recommends updating any affected systems as soon as possible.
Detect: Any of the affected operating systems (listed below) which have not already been updated will be affected by this vulnerability.
The ITC SOC will be reaching out to customers who have a Managed VI service to offer ad hoc scans to identify affected operating systems.
The following operating systems are susceptible to this vulnerability:
- Windows 10
- Windows Server 2016
- Windows Server 2019
Note that whist not vulnerable, Windows 7 reached end of support on January 14th 2020 and will no longer receive security updates . ITC strongly recommends upgrading any instances of devices running Windows 7 to Windows 10 to continue receiving security updates.
Prevent: Microsoft have released security updates for all affected products. These updates should be implemented on affected systems as soon as possible, to ensure they are protected against the exploit before adversaries begin targeting systems in the wild.
There are no known mitigations for this vulnerability.
React: The appropriate security updates should be applied to all affected systems immediately.