On January 15, 2020, we monitored that Microsoft released a security update for January 2020, which fixed a Windows CryptoAPI validation bypass vulnerability (CVE-2020-0601). The vulnerability was reported to Microsoft by the NSA.
The vulnerability exists in the way that Windows CryptoAPI (Crypt32.dll) validates the Elliptic Curve Cryptographic Algorithm Certificate and affects Windows 10 and Windows Server 2016/2019 and applications that rely on Windows CryptoAPI. Attack scenarios include:
1. Sign a malicious executable with a fake certificate, making the file appear to come from a trusted source.
2. Perform a man-in-the-middle attack and decrypt the user’s confidential information connected to the affected software.
- CVE-2020-0609/CVE-2020-0610: Remote desktop gateway remote code execution vulnerability. An attacker sending a malicious request to the target system remote desktop gateway through RDP may cause remote code execution. Microsoft has released a patch for Windows Server 2012/2012 R2 /2016/2019.
- CVE-2020-0611: Remote desktop client remote code execution vulnerability. An attacker who tricked a victim into connecting to a malicious server could cause remote code execution. Microsoft has released patches for versions from Windows 7 SP1 / Windows Server 2008 R2 to Windows 10 Version 1909 / Windows Server 2019.
- CVE-2020-0603/CVE-2020-0605/CVE-2020-0606 /CVE-2020-0646: .NET Framework Remote Code Execution Vulnerability. If a user opens a malicious file with an affected .NET Framework version, remote code may result in carried out.