On Jan. 14, Microsoft announced CVE-2020-0601 Windows CryptoAPI Spoofing Vulnerability, which was disclosed to Microsoft by the National Security Agency (PDF). The vulnerability affects Microsoft Windows components responsible for implementing certificate and cryptographic messaging functions. Microsoft has released a security update that addresses the vulnerability.
An attacker could exploit this vulnerability to deliver malicious code that appears to be from a trusted entity. Once a system has been exploited, attackers can further cause harm by decrypting confidential information from user connections to the impacted software as well as launch man-in-the middle attacks. Examples where validation of trust may be impacted include:
- HTTPS connections
- Signed files and emails
- Signed executable code launched as user-mode processes
- Software updates
Additionally, attackers may be able to spoof x.509 certificate chains that could allow for the interception and modification of TLS-encrypted communications, spoofing websites or spoofing authenticode signatures.
The following platforms are affected:
- Windows 10
- Windows Server 2016
- Windows Server 2019
The University Technology Information Security Office strongly recommends that impacted systems are patched with the security update as soon as possible.
There are no work arounds for this vulnerability.