Security Experts:

Industry Reactions to Crypto Vulnerability Found by NSA: Feedback Friday

One of the vulnerabilities patched this week by Microsoft in its Windows operating system is a crypto-related issue that was reported to the company by the U.S. National Security Agency.

The vulnerability, tracked as CVE-2020-0601 and dubbed ChainOfFools and CurveBall, affects Windows 10, Server 2016 and Server 2019, as well as applications that rely on Windows for trust functionality.

The flaw exists in the CryptoAPI (Crypt32.dll) component and it can allow an attacker to sign malicious files using a spoofed code-signing certificate or to conduct MitM attacks against TLS connections. However, sophisticated threat groups, such as nation-state actors, would be the most likely to exploit the vulnerability — run-of-the-mill cybercriminals are unlikely to have the resources and skills needed for exploitation.

Industry reactions to the Windows vulnerability reported by the NSA

Several proof-of-concept (PoC) exploits have already been created and some of them have been made public.

Several industry professionals have shared thoughts with SecurityWeek about the vulnerability, its impact, and the possible reasons why the NSA disclosed it rather than using it in its own operations.

And the feedback begins…

Sherrod DeGrippo, Senior Director Threat Research, Proofpoint:

“While this is a serious vulnerability that should be patched, there’s no need to panic. When you look at the vulnerability and the number of affected systems, this does not reach the level of Heartbleed or WannaCry scenarios from the past. Also, our research shows that behavioral analysis of malware still detects malware as malicious, even if it’s signed with an ostensibly legitimate certificate.”

Allan Liska, Senior Solutions Architect, Recorded Future:

“This vulnerability was reported by the NSA to Microsoft, which is a good demonstration of the role the NSA, and other security agencies, can play in improving global information security. This reporting is also likely a direct result of the revamped Vulnerability Equities Process (VEP) at NSA. The goal of the revamped program is to prioritize public interest in reporting security flaws and protecting core systems and infrastructure. Certificate signing is critical to the trust of software applications in both the public and private sectors, so this reporting certainly meets the “critical” threshold. It is worth noting that, at this time, we do not know how long the NSA has knowledge of this vulnerability.”

Tim Mackey, Principal Security Strategist, Synopsys CyRC:

“Crypt32.dll is used as the basis for most cryptographic functions on Windows based computers. This includes obvious items like SSL and management of digital certificates through to less obvious items like password hashes and services provided by the Local Security Authority Subsystem Service (lsass). This ubiquity means that nominally trusted activities within an application like validating digital signatures, hashing data and accessing remote systems can become compromised when a security issue occurs within crypt32.dll.

 

Unfortunately, CVE-2020-0601 is such a security issue and one without a meaningful workaround other than to prioritize systems for patching. The net result for software developers is that while the root of the issue is within crypt32.dll, the impact could easily be felt within other applications. In addition to patching their own Windows computers, providers of Windows software should proactively validate their use of cryptographic functions with the patched version of crypt32.dll to ensure continued stable operation of their applications following the patch.

 

While unlikely, changes to a critical component like crypt32.dll could have unintended consequences for an ecosystem as large as that found with Windows and non-technical users will naturally reach out for support from the vendor of a failing application and not the operating system provider.

 

Additionally, Windows users who manage computers for smaller organizations or are the “family IT” provider, should proactively ensure their users have fully patched their systems using a patch issued from Microsoft. With the media coverage such a security issue receives, it’s entirely possible for malicious download sites to promote a patch which is itself either a virus or ransomware.”

Max Vetter, Chief Cyber Officer, Immersive Labs:

“While this is clearly a massive vulnerability within Windows systems it is important to place this in the bigger picture. Just because the flaw was discovered by the NSA does not automatically elevate this threat to international levels, or that it presents a bigger risk to business than other threats. It is important to place the vulnerability in context, so that the highest threats are prioritised first.

 

In the same Microsoft update much more potent vulnerabilities with higher CVS scores were patched, which organisations should prioritise over this specific flaw. While it is clearly vital that businesses do update their systems regularly, it is also important that you do not get distracted by the glamour of a lesser vulnerability. Human capability in cyber security is such a valuable resource, so ultimately being aware of all threats is a much better approach than being distracted by one.”

Marc Gaffan, CEO, Hysolate:

“Given that this was an NSA disclosure, I wouldn’t rule out that some nationstate (I.e. Iran) was using or about to use this to impact critical infrastructure. It’s still hard to believe that the same Windows workstations that are used to access critical infrastructure, sensitive systems and data are also used to receive email and surf the web.”

Rene Kolga, VP of Product Strategy, Nyotron:

“It's ironic that on the day that spells the end of extended support for Windows 7, we also get the stark warning about a major vulnerability in Microsoft's only officially supported desktop operating system. How many other vulnerabilities are lurking in Windows 10 that may already be leveraged by malicious actors? RAND's study from a few years ago estimates that zero-day exploits and their underlying vulnerabilities have an almost 7-year life expectancy.


Besides staying up-to-date with patches this highlights the importance of applying true defense in depth that includes both "chasing the bad" and "ensuring the good" security tools.”

Chris Morales, head of security analytics, Vectra:

“Kudos to the NSA for informing Microsoft and to Microsoft for quickly reacting.

 

I’d be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past. It could be because many of those previous tools leaked and have caused widespread damage across multiple organizations. It could be because there was a concern others would find this vulnerability themselves and it was dangerous enough to warrant remediation instead of weaponizing.

 

Or it just could be the NSA already has enough other methods for compromising a Windows system and doesn’t need it.”

Rick Holland, CISO, Vice President of Strategy, Digital Shadows:

“This vulnerability is a force multiplier for attackers who often go to great lengths to get their tools whitelisted in their target environment. The CryptoAPI Spoofing vulnerability gives attackers another option to make their code appear legitimate. There is a silver lining though, Windows 7, which is now end of life, isn't impacted by this.

 

This is also a significant step for the National Security Agency. Unlike Eternal Blue, this vulnerability was disclosed to Microsoft.

 

Please make no mistake, though; the NSA will continue to hoard zero-days and leverage them as required to accomplish their objectives.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.