Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) – How to Detect and Remediate
Update January 31, 2020: Client testing is now available at clienttest.ssllabs.com.
Update January 15, 2020: Detection dashboard now available.
Today, Microsoft released patch for CVE-2020-0601, aka Curveball, a vulnerability in windows “crypt32.dll” component that could allow attackers to perform spoofing attacks. This was discovered and reported by National Security Agency (NSA) Researchers. The vulnerability affects Windows 10 and Windows Server 2016/2019 systems.
This is a serious vulnerability and patches should be applied immediately. An attacker could exploit this vulnerability by using a spoofed code-signing certificate, meaning an attacker could let you download and install malware that pretended to be something legit, such as software updates, due to the spoofed digital signature. Examples where validation of trust may be impacted include:
- HTTPS connections
- Signed files and emails
- Signed executable code launched as user-mode processes
Exploits/PoC:
There are no reports of active exploitation or PoC available in public domain at this point of time. However, per NSA advisory “Remote exploitation tools will likely be made quickly and widely available.”