Shulou(Shulou.com)05/31 Report--

This article shows you what the official response to CVE-2020-0601 is like. It is concise and easy to understand. It will definitely make your eyes shine. I hope you can learn something through the detailed introduction of this article.

With the release of the vulnerability patch by Microsoft, many media have reported the vulnerability, but the description of the vulnerability is different from the official public documents. Microsoft insiders said: some media selectively state the facts, exaggerate the facts, maliciously speculate and publish irresponsible and false content. Based on this, the author would like to objectively sort out the so-called "Microsoft super loophole".

In Microsoft's routine January patch update list, there is a loophole that has attracted a lot of attention: a verification bypass vulnerability located in CryptoAPI.dll Elliptic Curve Cryptography (ECC) certificates-CVE-2020-0601.

Interestingly, after Microsoft's announcement, the National Security Agency (NSA) also issued an early warning notice about the CVE-2020-0601 vulnerability. According to the announcement, this vulnerability was first independently discovered and reported to Microsoft by NSA (Microsoft thanked NSA in the report).

Introduction to CVE-2020-0601

Warning notice issued by NSA

Introduction of loopholes

The flaw lies in the way Windows CryptoAPI (Crypt32.dll) validates elliptic curve cryptographic algorithm certificates, and some examples that may affect trust include, but are not limited to, HTTPS connections, file and email signatures, and signature executables initiated in user mode.

In addition, the vulnerability allows an attacker to forge a code signing certificate to sign a malicious executable, making the file appear to come from a trusted source. For example, ransomware or other spyware can have a seemingly valid certificate to prompt the user to install. Man-in-the-middle attack and decryption of confidential information connected to the affected software is also one of the main attack scenarios.

Scope of influence

Currently, Microsoft Windows versions that support certificates that use ECC keys with specified parameters are affected, including Windows 10, Windows Server 2016 and 2019, and applications that depend on Windows CryptoAPI.

Versions prior to Windows 10, such as Windows 7, Windows Server 2008 R2, etc., are not affected by this vulnerability.

Mitigation measures

Rapid adoption of patches is the only known mitigation measure. Although there are no public attacks and cases, it is recommended that you install security updates in a timely manner. After the update, when an attempt to exploit CVE-2020-0601 is detected, event ID 1 will be generated in the event Viewer each time the Windows log is restarted.

Safety recommendation

In addition to installing patches, enterprises can take other measures to protect endpoints, such as:

1. Extract certificates from network traffic and check for suspicious attributes

2. Carry traffic through proxy devices that perform TLS checks but do not use Windows for certificate verification

3. Deploy private root certification authorities within the enterprise and control the deployment and use of third-party software in specific computer / server locations

4. Qualified enterprises can apply to join Microsoft Security Update Validation Program (SUVP) or Microsoft Active Protections Program (MAPP), so as to obtain security updates from Microsoft in advance for related testing and analysis.

The above is about the official response to CVE-2020-0601. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.