Attacker Value
Very High
(7 users assessed)
Exploitability
Moderate
(7 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
2

CVE-2020-0601, aka NSACrypt

Disclosure Date: January 14, 2020
Exploited in the Wild
Reported by gwillcox-r7
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka ‘Windows CryptoAPI Spoofing Vulnerability’.

Add Assessment

4
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Technical Analysis

As others have said, this would likely require either MiTM or otherwise coaxing someone to run an executable in a typical malware distribution scenario for the authenticode bit. So, if defining exploitation as successful compromise of a user connection or system, I think the complexity of this is high, but the payoff/utility especially for snooping is fairly critical.

Agreed on the RCE vector, but I do have a problem with the “RCE” label since it tends to imply a certain specific type of code execution, rather than the enablement of a vector of execution, which this is.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Low
Technical Analysis

Granted patching is not immediate and still lags in many orgs, but the trend for patching current systems (which is seems to apply to) is better than legacy and there is a working patch, thus I can’t see exploits working for long on major, mature organizations.

1
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Technical Analysis

This appears to be a bug with the authentication of elliptical curve cryptographic certificates definitely related to file source authentication through signing and possibly channel communications; there are unsubstantiated rumors about RCE, though I don’t see a pathway for that beyond a MitM attack. This is going to serve primarily as a local privilege escalation tool because Microsoft OSs depend on file authentication and privileged execution in some instances to avoid a requirement for user authenticated elevation for execution. I am unclear on how difficult breaking into an established session might be, but certainly spoofed signed files would be useful to a hacker.
Of the two likely scenarios, local privilege escalation seems the most likely, with MitM attacks possible. This is likely not a wormable threat and will require some amount of time and effort on the part of the attacker. Nation-state-level players might abuse this by owning update servers or routers and serving clients malicious signed updates or other binaries, but that’s not a likely threat model for average person or even company. In addition to the personalized nature of the attack vector, I imagine the barrier to writing even a local exploit would be higher than most, as cryptography is hard.
This is interesting, it is bad, and it should be patched, but it is not at the level of something like eternalblue or even bluekeep, in my opinion. I think that it was reported by the NSA has caused a bit more attention to it than the vulnerability warrants, but since there is a path to exploitation and a simple patch out that should have little effect on users, you should patch immediately.

General Information

Vendors

  • Microsoft

Products

  • Windows,
  • Windows Server,
  • Windows 10 Version 1903 for 32-bit Systems,
  • Windows 10 Version 1903 for x64-based Systems,
  • Windows 10 Version 1903 for ARM64-based Systems,
  • Windows Server, version 1903 (Server Core installation),
  • Windows 10 Version 1909 for 32-bit Systems,
  • Windows 10 Version 1909 for x64-based Systems,
  • Windows Server, version 1909 (Server Core installation),
  • Windows 10 Version 1909 for ARM64-based Systems
Technical Analysis