Qualys is a sponsor of TechSpective
Microsoft kicked off the new decade with a bang. Last Tuesday was the first Microsoft Patch Tuesday of 2020, and one of the patches pushed out by Microsoft addresses a dangerous flaw in Crypt32.dll that could allow attackers to spoof signatures on encrypted communications and potentially launch man-in-the-middle (MitM) attacks on communications believed to be secure.
The flaw was discovered by the US National Security Agency (NSA), which took the unusual step of alerting Microsoft about the vulnerability. The NSA generally capitalizes on flaws it discovers by developing exploits in secret so it can weaponize them for its clandestine efforts. We have learned about some of them the hard way, as the world has paid the price from exploits like EternalBlue being leaked. There are a number of exploits circulating in the wild compliments of the NSA, but apparently this one was too critical for the NSA to not give Microsoft a heads up.
The NSA also published an advisory highlighting the criticality of this Windows flaw. The advisory cautions, “The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.”
A blog post from Qualys about the Microsoft Patch Tuesday updates stresses, “Although Microsoft rated this as Important, NSA privately disclosed this vulnerability to Microsoft and should be prioritized on all systems. NSA recommends installing the patch as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems.”
Patch or Mitigate the Windows CryptoAPI Vulnerability
The recommended action is for organizations and individuals to apply the associated patch as soon as possible—immediately if possible. Microsoft has developed a patch for Windows 10, Windows Server 2016, and Windows Server 2019.
Even with a flaw of this nature, context matters. Every vulnerable system should be patched, but effective patching and effective cybersecurity demand that you prioritize your efforts appropriately. Focus on domain controllers, web servers, DNS servers, and proxies that perform TLS validation first, followed by systems that run business critical applications or store sensitive data.
For systems that can’t be immediately patched for this CryptoAPI flaw, alternate measures need to be taken to mitigate the risk. Qualys recommends:
- Restrict external access to only trusted networks.
- Ensure that certificate validation is enabled for TLS proxies.
- See also DHS Emergency Directive 20-02: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday
According to the blog post, Qualys customers can identify vulnerable hosts using the Qualys Cloud Agent or via Qualys authenticated scanning. Qualys customers can also prioritize and expedite patching for CVE-2020-0601 using Qualys Patch Management with Cloud Agent.
Don’t Let the Next ‘Wannacry’ Catch You Off Guard
The same day that Microsoft released the patch for this critical flaw was also coincidentally the expiration date for Windows 7 support. Many organizations are still running critical applications on Windows 7 systems, and those systems are vulnerable.
Now that Microsoft is no longer developing and distributing patches for the Windows 7 operating system by default, it’s only a matter of time until a ‘Wannacry’ type attack cripples systems running the expired legacy operating system. Organizations can take steps to minimize and mitigate the risk, but only if they know where those unsupported systems are and what applications they are running.
You might think that you don’t have any Windows 7 or Windows XP systems on your network, but rogue systems might exist on your network that put you at risk. Organizations can use the free Qualys Global IT Asset Discovery and Inventory app to get complete visibility of the devices on the network—which is essential for effective cybersecurity. The Qualys tool reports comprehensive details such as hardware and software lifecycle and end-of-life or end-of-service status so you can quickly visualize the operating systems that are expired or will soon reach end-of-life and plan accordingly to proactively upgrade or find alternatives. An accurate real-time inventory can be a lifesaver when a flaw like this CryptoAPI spoofing vulnerability comes along.
I can’t emphasize enough how crucial it is for you to apply the patch from Microsoft or take immediate steps to mitigate the risk from this CryptoAPI vulnerability. This is not a drill. Proof-of-concept exploit code already exists and it’s only a matter of time until there are malicious exploits circulating in the wild. The clock is ticking. Act quickly.