Views:
Mitigation and Protection

First and foremost, the first line of protection against this serious vulnerability is to ensure the affected systems are patched with Microsoft's latest security update.  This continues to be the primary recommendation for protection against any exploit that may arise from this vulnerability.  

In order to assist customers, Trend Micro has released some additional layers of protection in the form of IPS and Deep Discovery rules and filters that may help organizations strengthen their overall security posture, especially in situations where comprehensive patching may take some time.

IPS Rules

Deep Security, Vulnerability Protection and Apex One Vulnerability Protection (iVP)
  • Rule 1010130 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
  • Rule 1010132 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) - 1
TippingPoint
  • Filter 36956: HTTP: Microsoft Windows CryptoAPI Spoofing Vulnerability
  • Filter 36966: SSL: ECC Certificate with Explicitly Defined Curve Parameters (replaces CSW Filter C1000001)
These IPS rules and filters look for possible exploitation of the vulnerability by attackers trying to spoof Microsoft certificates to make them look legitimate.  This covers the first bullet of the "examples of validation of trust that may be impacted" referred to in the NSA Advisory - HTTPS Connections.  

Other Inspection/Detection Rules

Deep Security Log Inspection
  • Rule 1010129 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
This Log Inspection (LI) rule for Deep Security gives administrators visibility into potential exploit activity.  Due to the complexity of this vulnerability, the Log Inspection rule will only log activities against systems that have already applied the Microsoft patch.  Administrators who have patched critical servers with Deep Security may find this information useful internally to help accelerate patching of endpoints and non-critical systems if there is evidence of activity in their environment.  We are continuing to research on potential ways to give LI visibility into un-patched machines.

Deep Discovery Inspector (DDI)
  • Rule 4330: CVE-2020-0601 Spoofed Certificate Attempt - TLS (Response)
Trend Micro Official Pattern Release (OPR)
  • OPR versions 15.665.00 and above

Standalone / Helper Tools This standalone executable allows administrators and individual end users to quickly verify if a machine has applied the necessary Microsoft patches to protect against this vulnerability.

Trend Micro is continuing to aggressively look into other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Microsoft patches as soon as possible.  We will continue to update this article and our customers if/when additional layers of protection are found.

References