NSA discloses a Windows security flaw that leaves more than 900 million devices vulnerable to spoofed digital certificates
The National Security Agency (NSA) isn’t exactly known for wanting to share information about vulnerabilities they discover. In fact, they kept the Microsoft bug known as Eternal Blue a secret for at least five years to exploit it as part of their digital espionage. (At least, you know, until it was eventually discovered and released by hackers).
But maybe they’ve had a change of heart. (If you truly believe that, I have a bridge to sell you.)
The NSA, in an uncharacteristic show of transparency, recently announced a major public key infrastructure (PKI) security issue that exists in Microsoft Windows operating systems that’s left more than 900 million PCs and servers worldwide vulnerable to spoofing cyberattacks. This vulnerability is one of many vulnerabilities Microsoft released as part of their January 2020 security updates. Maybe they didn’t want a repeat of the last incident. Whatever the reason, we’re just glad they decided to disclose the potential exploit.
This risk of this vulnerability boils down to a weakness in the application programming interface of Microsoft’s widely used operating systems. But what exactly is this Windows 10 vulnerability? How does it affect your organization? And what can you do to fix it?
Let’s hash it out.
What’s the Situation with This Windows 10 Vulnerability?
Windows 10 has been having a rough go of things these past several months in terms of vulnerabilities. In the latest Window 10 vulnerability news, the NSA discovered a vulnerability (CVE-2020-0601) that affects the cryptographic functionality of Microsoft Windows 32- and 64-bit Windows 10 operating systems and specific versions of Windows Server. Basically, the vulnerability exists within the Windows 10 cryptographic application programming interface — what’s also known as CryptoAPI (or what you may know as the good ol’ Crypt32.dll module) — and affects how it validates elliptic curve cryptography (ECC) certificates.
What it does, in a nutshell, is allow users to create websites and software that masquerade as the “real deals” through the use of spoofed digital certificates. A great example of how it works was created by a security researcher, Saleem Rashid, who tweeted images of NSA.com and Github.com getting “Rickrolled.” Essentially, what he did was cause both the Edge and Chrome browsers to spoof the HTTPS verified websites.
Although humorous, Rashid’s simulated attacks are a great demonstration of how serious the security flaw is. By spoofing a digital certificate to exploit the security flaw in CryptoAPI, it means that anyone can pretend to be anyone — even official authorities.
CryptoAPI is a critical component of Microsoft Windows operating systems. It’s what allows developers to secure their software applications through cryptographic solutions. It’s also what validates the legitimacy of software and secure website connections through the use of X.509 digital certificates (SSL/TLS certificates, code signing certificates, email signing certificates, etc.). So, basically, the vulnerability’s a bug in the OS’s appliance for determining whether software applications and emails are secure, and whether secure website connections are legitimate.
So, what the vulnerability does is allow actors to bypass the trust store by using malicious software that are signed by forged/spoofed ECC certificates (doing so makes them look like they’re signed by a trusted organization). This means that users would unknowingly download malicious or compromised software because the digital signature would appear to be from a legitimate source.
This vulnerability can cause other issues as well, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA):
This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.”
Does This Mean ECC Is Not Secure?
No. This flaw in no way, shape, or form affects the integrity of ECC certificates. It does, however, cast a negative light on Windows’ cryptographic application programming interface by shining a spotlight on the shortcomings of its validation process.
Let me reiterate: This is a flaw concerning Windows CryptoAPI and does not affect the integrity of the ECC certificates themselves. If you’re one of the few using ECC certificates (you know, since RSA is still the more commonly used than ECC), this doesn’t impact the security of your certificates.
The patch from Microsoft addresses the vulnerability to ensure that Windows CryptoAPI fully validates ECC certificates.
What This Windows 10 Vulnerability Means for Your Organization
Basically, this cryptographic validation security flaw impacts both the SSL/TLS communication stream encryption and Windows Authenticode file validation. Malicious actors who decide to exploit the CryptoAPI vulnerability could use it to:
defeat trusted network connections to carry out man-in-the-middle (MitM) attacks and compromise confidential information;
deliver malicious executable code;
prevent browsers that rely on CryptoAPI from validating malicious certificates that are crafted to appear from an unauthorized hostname; and
appear as legitimate and trusted entities (through spoofing) to get users to engage with and download malicious content via email and phishing websites.
The NSA press release states:
NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”
Steps to Take to Mitigate This Bug
Wondering what you should do to mitigate the threat on your network and devices? The NSA has a few recommendations:
Get to Patchin’ ASAP
The NSA recommends installing a newly-released patch from Microsoft for Windows 10 operating systems and Windows Server (versions 2016 and 2019) as soon as possible on all endpoints and systems. Like, right now. Get to it! As a best practice, you also can turn on automatic updates to ensure that you don’t miss key updates in the future.
According to Microsoft’s Security Update Guide:
After the applicable Windows update is applied, the system will generate Event ID 1 in the Event Viewer after each reboot under Windows Logs/Application when an attempt to exploit a known vulnerability ([CVE-2020-0601] cert validation) is detected.”
Here at The SSL Store, we’ve already rolled out the patch to ensure that all of our servers and endpoint devices are protected. (Thanks, Ross!) Rolling out these kinds of updates is something you don’t want to wait around to do because it leaves your operating systems — and everything else as a result — vulnerable to spoofing and phishing attacks using spoofed digital certificates.
Prioritize Your Patching Initiatives
But what if you’re a major enterprise that can’t just get it done with a snap of the fingers? (Yeah, we know how you big businesses sometimes like to do things.) In that case, they recommend prioritizing patching your most critical endpoints and those that are most exposed to the internet. Basically, patch your mission-critical systems and infrastructure, internet-facing systems, and networked servers first.
Implement Network Prevention and Detection Measures
For those of you who route your traffic through proxy devices, we have some good news. While your endpoints are getting patched, your proxy devices can help you detect and isolate vulnerable endpoints. That’s because you can use TLS inspection proxies to validate SSL/TLS certificates from third parties and determine whether to trust or reject them.
You also can review logs and packet analysis to extract additional data for analysis and check for malicious or suspicious properties.
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/nsa-microsoft-releases-patch-to-fix-latest-windows-10-vulnerability/
Today’s VERT Alert addresses Microsoft’s January 2020 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-866 on Wednesday, January 15th.
In-The-Wild & Disclosed CVEs
While there are no in-the-wild and disclosed CVEs in the January patch drop, there is a lot of discussion around CVE-2020-0601. The vulnerability allows for Elliptic Curve Cryptography (ECC) spoofing due to the way these certificates are validated. This vulnerability was reported to Microsoft by the NSA and rumors in various publications indicate that certain government agencies and enterprises were given advance notice of this vulnerability.
Microsoft has rated this as a 1 (Exploitation More Likely) on the latest software release on the Exploitability Index.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.
There were no new advisories released today. However, it is worth mentioning that today marks the final day of support for Windows 7, Windows Server 2008, and Windows Server 2008 R2. These platforms are now considered end of life and (Read more…)
If you haven’t recently updated your Drupal-based blog or business website to the latest available versions, it’s the time.
Drupal development team yesterday released important security updates for its widely used open-source content management software that addresses a critical and three “moderately critical” vulnerabilities in its core system.
Considering that Drupal-powered websites are among the all-time favorite targets for hackers, the website administrators are highly recommended to install the latest release Drupal 7.69, 8.7.11, or 8.8.1 to prevent remote hackers from compromising web servers.
Critical Symlinks Vulnerability in Drupal
The only advisory with critical severity includes patches for multiple vulnerabilities in a third-party library, called ‘Archive_Tar,’ that Drupal Core uses for creating, listing, extracting, and adding files to tar archives.
The vulnerability resides in the way the affected library untar archives with symlinks, which, if exploited, could allow an attacker to overwrite sensitive files on a targeted server by uploading a maliciously crafted tar file.
Due to this, to be noted, the flaw only affects Drupal websites that are configured to process .tar, .tar.gz, .bz2, or .tlz files uploaded by untrusted users.
According to Drupal developers, a proof-of-concept exploit for this vulnerability already exists and considering the popularity of Drupal exploits among hackers, you may see hackers actively exploiting this flaw in the wild to target Drupal websites.
Moderately Critical Drupal Vulnerabilities
Besides this critical vulnerability, Drupal developers have also patched three “moderately critical” vulnerabilities in its Core software, brief details of which are as follows:
Denial of Service (DoS): The install.php file used by Drupal 8 Core contains a flaw that can be exploited by a remote, unauthenticated attacker to impair the availability of a targeted website by corrupting its cached data.
Security Restriction Bypass: The file upload function in Drupal 8 does not strip leading and trailing dot (‘.’) from filenames, which can be used by an attacker with file upload ability to overwrite arbitrary system files, such as .htaccess to bypass security protections.
Unauthorized Access: This vulnerability exists in Drupal’s default Media Library module when it doesn’t correctly restrict access to media items in certain configurations. Thus, it could allow a low-privileged user to gain unauthorized access to sensitive information that is otherwise out of his reach.
According to the developers, affected website administrators can mitigate the access media bypass vulnerability by unchecking the “Enable advanced UI” checkbox on /admin/config/media/media-library, though this mitigation is not available in 8.7.x.
All the above “moderately critical” vulnerabilities have been patched with the release of Drupal versions 8.7.11 and 8.8.1, and at the time of writing, no proof-of-concept for these flaws have been made available.
Since a proof-of-concept exists for the critical Drupal vulnerability, users running vulnerable versions of Drupal are highly recommended to update their CMS to the latest Drupal core release as soon as possible.
Source: National Cyber Security – Produced By Gregory Evans Posted by Jan Keller, Technical Program Manager, Security At Google, we strive to make the internet safer and that includes recognizing and rewarding security improvements that are vital to the health of the entire web. In 2020, we are building on this commitment by launching a […]
View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans December 2019’s Patch Tuesday updates are out, and for the most part, it’s the usual undemanding Christmas load for admins to browse through. All told, there are 36 CVE-level vulnerabilities, seven of which are marked ‘critical’, 27 important, and one each for low and moderate. Predictably, […]
View full post on AmIHackerProof.com
This month’s Patch Tuesday is rather light and addresses 36 vulnerabilities, with only 7 labeled as Critical. Five of the seven Critical vulns are in Git for Visual Studio. The others are for Hyper-V and Win32k. Also, there is one actively attacked “Important” vuln in Win32k. Adobe released patches today covering Acrobat/Reader, ColdFusion, Photoshop, and Brackets.
Win32k patches (CVE-2019-1468 and CVE-2019-1458) should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Though listed as Important, Microsoft has disclosed that CVE-2019-1458 is actively attacked in the wild.
Hyper-V Hypervisor Escapes
A remote code execution vulnerability (CVE-2019-1471) is patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for all Hyper-V systems.
Git for Visual Studio
Microsoft patched 5 vulnerabilities (CVE-2019-1354, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387, and CVE-2019-1349) in Git for Visual Studio. Exploitation requires that a user clones a malicious repo. Based on the details provided, the vulnerabilities appear to all be Command Injection. These patches should be prioritized for any Visual Studio installations that use Git.
Adobe’s Patch Tuesday covers Acrobat/Reader, ColdFusion, Photoshop, and Brackets. The patches for Acrobat/Reader (21 vulns) and ColdFusion (1 vuln) are listed as Priority 2, while the patches for Photoshop (2 vulns) and Brackets (1 vuln) are labeled Priority 3. The Acrobat/Reader patches should be prioritized for Workstations with this software installed, and the ColdFusion patches should be prioritized on ColdFusion servers.
Apple issued a new warning after a new hacking threat. The tech giant says there is a new cyber threat, but has taken steps to thwart the attack. FOX Business Network’s Tracee Carrasco reports, “Apple has now issued a critical security patch for all iOS devices and for Mac computers…
nationalcybersecurity.com – Atari is set to introduce “Pridefest,” an original social-sim game for tablets and mobile devices that’s specially geared toward the lesbian, gay, bisexual and transgender (LGBT) community. Accordi…