US National Security Agency (NSA) discovered a serious cryptographic bug CVE-2020-0601, dangerous for Windows 10, Windows Server 2019 and Windows Server 2016. The vulnerability is related to the operation of Windows CryptoAPI – the main component of Windows that is responsible for cryptographic operations.
So, NSA researchers found that there is a spoofing opportunity related to how Windows CryptoAPI (Crypt32.dll) validates ECC certificates (Eliptic Curve Cryptography – a cryptography method that works with elliptic curves).
Microsoft warns that an attacker could exploit this vulnerability to sign a malicious executable file so that it looks like a file obtained from a reliable and legitimate source. Worse, the vulnerability could also be used to fake digital certificates used for encrypted communications. In fact, the successful exploitation of the problem allows conducting MitM attacks and decrypting confidential information about user connections.
Although Microsoft rated the fix for this bug as “important” and not “critical”, and the vulnerability has not yet been used in real attacks, the problem is considered so serious that the NSA took an unprecedented step for itself, reporting the vulnerability to the developers, instead of to hide this information and use it to conduct their own operations. Moreover, Anne Neuberger, director of cybersecurity of the NSA, emphasizes that the disclosure of data on CVE-2020-0601 is only the first sign, and the agency intends to change its approach to cybersecurity, that is, other error messages will follow in the future.
NSA has already released own security guidecontaining information on ways to reduce risks from vulnerabilities, methods for detecting the exploitation of a problem, and also urged companies and users to install the released patches as soon as possible.