Attacker Value
Very High
(7 users assessed)
Exploitability
Moderate
(7 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
3

CVE-2020-0601, aka NSACrypt

Disclosure Date: January 14, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka ‘Windows CryptoAPI Spoofing Vulnerability’.

Add Assessment

4
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Technical Analysis

As others have said, this would likely require either MiTM or otherwise coaxing someone to run an executable in a typical malware distribution scenario for the authenticode bit. So, if defining exploitation as successful compromise of a user connection or system, I think the complexity of this is high, but the payoff/utility especially for snooping is fairly critical.

Agreed on the RCE vector, but I do have a problem with the “RCE” label since it tends to imply a certain specific type of code execution, rather than the enablement of a vector of execution, which this is.

2
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Technical Analysis

This appears to be a bug with the authentication of elliptical curve cryptographic certificates definitely related to file source authentication through signing and possibly channel communications; there are unsubstantiated rumors about RCE, though I don’t see a pathway for that beyond a MitM attack. This is going to serve primarily as a local privilege escalation tool because Microsoft OSs depend on file authentication and privileged execution in some instances to avoid a requirement for user authenticated elevation for execution. I am unclear on how difficult breaking into an established session might be, but certainly spoofed signed files would be useful to a hacker.
Of the two likely scenarios, local privilege escalation seems the most likely, with MitM attacks possible. This is likely not a wormable threat and will require some amount of time and effort on the part of the attacker. Nation-state-level players might abuse this by owning update servers or routers and serving clients malicious signed updates or other binaries, but that’s not a likely threat model for average person or even company. In addition to the personalized nature of the attack vector, I imagine the barrier to writing even a local exploit would be higher than most, as cryptography is hard.
This is interesting, it is bad, and it should be patched, but it is not at the level of something like eternalblue or even bluekeep, in my opinion. I think that it was reported by the NSA has caused a bit more attention to it than the vulnerability warrants, but since there is a path to exploitation and a simple patch out that should have little effect on users, you should patch immediately.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Low
Technical Analysis

Granted patching is not immediate and still lags in many orgs, but the trend for patching current systems (which is seems to apply to) is better than legacy and there is a working patch, thus I can’t see exploits working for long on major, mature organizations.

2
Technical Analysis

This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF

CVSS V3 Severity and Metrics
Base Score:
8.1 High
Impact Score:
5.2
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
None

General Information

Vendors

  • golang,
  • microsoft

Products

  • go,
  • windows 10 -,
  • windows 10 1607,
  • windows 10 1709,
  • windows 10 1803,
  • windows 10 1809,
  • windows 10 1903,
  • windows 10 1909,
  • windows server 2016 -,
  • windows server 2016 1803,
  • windows server 2016 1903,
  • windows server 2016 1909,
  • windows server 2019 -

Exploited in the Wild

Reported by:
Technical Analysis