Spoofing Vulnerability in the Windows CryptoAPI
CVE-2020-0601
Sources
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 (1)
https://www.pandasecurity.com/mediacenter/news/critical-windows-10-vulnerability/
Risks
An attacker can sign a malicious executable and make it look like it was released by a trusted, legitimate source.
Alternatively, the attacker can bypass TLS certificate validation on websites served in Google Chrome & Chromium based browsers (Opera, Brave, …), Edge and Internet Explorer.
There is no indication that Firefox and derivative browsers are affected.
Description
The way the Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) Certificates allows an attacker to craft a malicious certificate that will appear to be signed by a trusted source. This certificate can then be used to either sign an executable or to perform a Man-in-the-Middle (MitM) attack on software using this API.
The issue exists because the API does not check all the parameters of the root certificate. This allows an attacker to craft their own root certificate with the same parameters, except for one. Check the source(2) for a detailed description.
There are already several proof of concept exploits for this vulnerability.
Recommended Actions
Microsoft released an emergency patch for this vulnerability. CERT.be recommends to apply this patch as soon as possible. The patch can be downloaded from the Microsoft Website(1) or can be installed directly from the Windows Updates Center.