Windows Server Vulnerability: Action Required

15th January, 2020

An alert from the National Security Agency (NSA) warns Windows 10 and Windows Server 2016/2019 users and administrators to patch systems immediately.  

Critical patch required for cryptographic vulnerability in Microsoft Windows servers 

A critical vulnerability (CVE-2020-0601) affects Windows cryptographic functionality. This means that an attacker can exploit Windows verification of cryptographic trust and can enable remote code execution. The vulnerability affects systems running Windows 2016/2019 and any applications that rely on Windows for trust functionality.  

Windows Server vulnerability system risks 

Attackers who exploit the vulnerability can defeat trusted network connections like TSL and SSL encryption to deliver executable code as trusted entities. For example, an attacker can pose as a trusted source to inject input into a file and execute it through the code’s parser. The system believes that the attacker is a trusted source and the usual encryption methods will not detect the intrusion.   

According to the alert, the validation of trust impacts “HTTPS connections, signed files and emails, and signed executable code launched as user-mode processes.” The NSA classifies the vulnerability as sever and expect the flaw to be exploited quickly by “sophisticated cyber actors.”  

Engadget reports that “An exploit in that area could affect authentication on Windows desktops and servers, sensitive data on Microsoft’s Internet Explorer and Edge browsers and many third-party applications.” Attackers can utilize the vulnerability to spoof, or act as legitimate digital signatures to make malware appear as legitimate.  

The report from NSA states, “The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.” 

How to mitigate the vulnerability 

If you are currently running a server with Windows 2016/2019, install the patch as soon as possible. NSA recommends that “system owners prioritize patching endpoints that provide essential or broadly replied-upon services” including web servers, proxies that perform TLS validation, DNS servers, domain controllers, VPN servers, IPSec negotiation, and all Windows-based web appliances.   

The alert also states that administrators should prioritize endpoints that have a high risk of exploitation like endpoints exposed to the internet directly or if they are regularly accessed by privileged users. The NSA warns that administrators should be prepared to “conduct remedial activities” if endpoints are compromised.  

Next steps 

Windows has issued critical system patches for both Windows 10 and Windows Server 2016/2019. You can see the full description on NIST’s National Vulnerability Database.  

Users and administrators should apply the patch immediately. If you have any questions about this vulnerability or any other issue affecting your hosting account, please contact our technical support team. They are happy to help you apply this patch or answer any questions you may have.  

The recently updated Windows system notice can be seen below.  

______________________________________________________________________________

CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability 

Security Vulnerability 

Published: 01/14/2020 | Last Updated : 01/14/2020 
MITRE CVE-2020-0601 

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. 

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. 

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. 

The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.