The National Security Agency (NSA) discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality.

According to the NSA, the certificate validation vulnerability allowed an attacker to undermine how Windows verifies cryptographic trust and could enable remote code execution. The vulnerability affected Windows 10 and Windows Server 2016/2019, as well as applications that rely on Windows for trust functionality.

In addition, the NSA says exploitation of the vulnerability could allow attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples where validation of trust may be impacted include:

  • HTTPS connections
  • Signed files and emails
  • Signed executable code launched as user-mode processes

The vulnerability placed Windows endpoints at risk to a broad range of exploitation vectors. "NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners," says the NSA. 

Shortly after releasing the alert, Brian Krebs of KrebsOnSecurity reported that Microsoft Corp. planned to release a software update to fix the security vulnerability. According to Krebs, Microsoft issued a written statement, "saying that it does not discuss the details of reported vulnerabilities before an update is available." The company also said it does not release production-ready updates ahead of regular Update Tuesday schedule. “Through our Security Update Validation Program (SUVP), we release advance versions of our updates for the purpose of validation and interoperability testing in lab environments. Participants in this program are contractually disallowed from applying the fix to any system outside of this purpose and may not apply it to production infrastructure,” said Microsoft.

"This vulnerability is a force multiplier for attackers who often go to great lengths to get their tools whitelisted in their target environment. The CryptoAPI Spoofing vulnerability gives attackers another option to make their code appear legitimate. There is a silver lining though, Windows 7, which is now end of life, isn't impacted by this," says Rick Holland, CISO, Vice President of Strategy at Digital Shadows, "This is also a significant step for the National Security Agency. Unlike Eternal Blue, this vulnerability was disclosed to Microsoft. Please make no mistake, though; the NSA will continue to hoard zero-days and leverage them as required to accomplish their objectives.”

Brian Krebs also tweeted that, "Sources say this disclosure from NSA is planned to be the first of many as part of a new initiative at NSA dubbed "Turn a New Leaf," aimed at making more of the agency's vulnerability research available to major software vendors and ultimately to the public."

“Kudos to the NSA for informing Microsoft and to Microsoft for quickly reacting. I’d be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past," says Chris Morales, head of security analytics at Vectra. "It could be because many of those previous tools leaked and have caused widespread damage across multiple organizations. It could be because there was a concern others would find this vulnerability themselves and it was dangerous enough to warrant remediation instead of weaponizing it.”