Feb. 7 (21:00 UTC) Update: Updated Trend Micro Microsoft Windows CryptoAPI Spoofing Vulnerability Assessment Tool
One very notable bug that was disclosed was CVE-2020-0601 (also known as "Curveball") - a Windows CryptoAPI Spoofing vulnerability in the way Elliptic Curve Cryptography (ECC) certificates are validated. Exploitation of this could allow an attacker to sign a malicious executable using a spoofed code-signing certificate (appearing legitimate), leading to a man-in-the-middle (MITM) attack and decryption of confidential information.
Other than the severity, the other reason it is notable is that it was the first Windows bug publicly attributed to the National Security Agency (NSA) in the United States.
In addition to the Microsoft Security Bulletin, the NSA also put out a comprehensive analysis document that goes into the vulnerability in more detail.
First and foremost, the first line of protection against this serious vulnerability is to ensure the affected systems are patched with Microsoft's latest security update. This continues to be the primary recommendation for protection against any exploit that may arise from this vulnerability.
In order to assist customers, Trend Micro has released some additional layers of protection in the form of IPS and Deep Discovery rules and filters that may help organizations strengthen their overall security posture, especially in situations where comprehensive patching may take some time.
IPS Rules
Deep Security, Vulnerability Protection and Apex One Vulnerability Protection (iVP)
- Rule 1010130 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
- Rule 1010132 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) - 1
- Filter 36956: HTTP: Microsoft Windows CryptoAPI Spoofing Vulnerability
- Filter 36966: SSL: ECC Certificate with Explicitly Defined Curve Parameters (replaces CSW Filter C1000001)
Other Inspection/Detection Rules
Deep Security Log Inspection
- Rule 1010129 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
Deep Discovery Inspector (DDI)
- Rule 4330: CVE-2020-0601 Spoofed Certificate Attempt - TLS (Response)
- OPR versions 15.665.00 and above
Standalone / Helper Tools
- Trend Micro Microsoft Windows CryptoAPI Spoofing Vulnerability Assessment Tool (SHA256:8bc719ca32ef3f196b3c8ed2d1cfeab1a5f7303e510cbfae22f02ae6497f9541)
Trend Micro is continuing to aggressively look into other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Microsoft patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection are found.
References
- Trend Micro Blog - https://blog.trendmicro.com/dont-let-the-vulnera-bullies-win-patch-against-vulnerability-cve-2020-0601-and-do-it-now/
- Microsoft Advisory - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
- NSA Cybersecurity Advisory - https://powerbox-na-file.trend.org/SFDC/DownloadFile_iv.php?jsonInfo=%7B%22Query%22%3A%22p0Ebh4LH2feRZe7ZP6LIigKXPrwKyPjcOTYQDtC41KgqEMyGoBpAGM2EjXEV2C%2B5LFlkTqW8Zvx6%2BGQdgMoK8377G0EY8B8oYdbPYUVlVohDi4TITkyV5H3M22Oclagx7jMwAAQibfR1L3LanO9autJG4xO4by4LAkRJXEWgsJU09SDNmzdNEaZgrtjVeNWL6DNXjDcliILYyaopVcFYb9gxfIXryVgtvhgDR8y3u0pGcw133r64osXnMOzxJ%2Bkn%22%2C%22iv%22%3A%229b9c05ebce411778bb16d394dda590e6%22%7D
- NSA Blog - https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2056772/a-very-important-patch-tuesday/
- US CERT Vulnerability Note VU#849224 - https://kb.cert.org/vuls/id/849224/