Microsoft made news this week with the widely reported vulnerability known as CVE-2020-0601, which impacts the Windows CryptoAPI. This highly critical vulnerability allows an attacker to fake both signatures and digital certificates. The attacker would use spoofed Elliptic-curve cryptography (ECC) certificates for signing malicious files to evade detection or target specific hostnames to evade browser security alerts by making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
The CVE-2020-0601 vulnerability reportedly impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions. The Microsoft patch (below) addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
Since it was identified, a public exploit POC was posted that will allow any malicious party to use this exploit to sign executables as a third party. Additionally, the bug could intercept and fake secure web (HTTPS) connections and has the power to fake signatures for files and emails.
Details on McAfee’s enterprise defenses against this vulnerability are outlined below and available in knowledge base article KB92322. Additional products may be updated with extra countermeasures and defenses as our research uncovers more. We will continue to update the articles.
What can you do to protect yourself?
The bug is considered to be highly critical. It is important for everyone running a vulnerable operating system to apply the security update provided by Microsoft.
Large organizations who follow 15/30/60-day patch cycles should consider making an exception and apply the patches as soon as possible.
Microsoft’s security patches are available here. The event is serious enough that the NSA has released its own security advisory, with mitigation information and how to detect exploitation, and urging IT staff to expedite the installation of Microsoft’s security updates. The Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS) have also released an emergency directive to alert the US private sector and government entities about the need to install the latest Windows OS fixes sooner rather than later.
How are McAfee Customers Protected?
McAfee products can help detect and prevent the exploit from executing on your systems. Specifically:
McAfee Endpoint Security (ENS)
McAfee can help protect against this vulnerability with a signature set to help detect fraudulently signed files.
Threat Intelligence Exchange (TIE)
TIE can help to identify file signing abuse prior to patching by providing a workflow to pivot into spoofed CAs and their signed binaries already run in the environment.
McAfee Network Security Platform (IPS)
NSP signatures (Emergency Signature set version 10.8.3.3) will prevent file signing abuse by blocking connections that are using certificates known to be impacted by the vulnerability.
File inspection for signature have been implemented in Web Gateway Anti-Malware. Using HTTPs scanning on the Web Gateway will move the validity checks for certificates from endpoints to the gateway and provide a central HTTPS certificate policy that is not based on the vulnerable function.
McAfee MVISION EDR
MVISION EDR can detect exploit attempts for this vulnerability on patched systems. In order to identify devices that have been involved recently in an exploit attempt, the customer can use the Real Time Search dashboard to execute a query using an NSACryptEvents collector.
McAfee Active Response (MAR)
McAfee Active Response has the ability to detect exploit attempts for this vulnerability. To identify devices that have been involved recently in an exploit attempt, the customer can use Active Response Catalog to create a custom collector and Active Response Search to execute a query using that collector. McAfee Active Response (MAR) users can also do a real time query with the NSACryptEvents collector.
McAfee Enterprise Security Manager (SIEM)
McAfee Enterprise Security Manager can detect exploit attempts for this vulnerability on patched systems by detecting events routed to SIEM using new signatures available via the normal content update process. (Refer to the knowledge-base article outlining how to update EMS rules.)
New rules have been uploaded to the content server with new signature ID’s and descriptions for these events. Customers can use these to create alarms.
Full details on how to access these solutions are outlined in knowledge-base article KB92322. Additional products may be updated with additional countermeasures and defenses as our research uncovers more. We will continue to update knowledge-base article KB92322 with any additional recommendations or findings.