A Very Important Patch Tuesday
By By Neal Ziring, Technical Director - NSA Cybersecurity Directorate, NSA
/ Published January 15, 2020
FORT MEADE, Md., Jan. 14, 2020 --
On January 14, Microsoft released a set of patches for the Windows platform. While all of the issues addressed in the patch release are serious, this article will discuss one of them: CVE-2020-0601. Above anything else, we urge everyone to take action and patch their systems.
CVE-2020-0601 is a serious vulnerability, because it can be exploited to undermine Public Key Infrastructure (PKI) trust. PKI is a set of mechanisms that home users, businesses, and governments rely upon in a wide variety of ways. The vulnerability permits an attacker to craft PKI certificates to spoof trusted identifies, such as individuals, web sites, software companies, service providers, or others. Using a forged certificate, the attacker can (under certain conditions) gain the trust of users or services on vulnerable systems, and leverage that trust to compromise them.
This kind of vulnerability may shake our belief in the strength of cryptographic authentication mechanisms and make us question if we can really rely on them. Fortunately, we can. CVE-2020-0601 reflects a weakness in the implementation of one subtle aspect of PKI certificate validation. The technology and standards are sound; it is one implementation that needs repair.
CVE-2020-0601 poses significant risk for enterprises and systems that depend on PKI for trust – as all of us do. The patch is the only comprehensive means to mitigate the risk. While means exist to detect or prevent some forms of exploitation, none of them are complete or fully reliable. It is critical for enterprises to apply the patch fully across their Windows 10 and Server 2016 installed base; attackers excel at finding vulnerable targets. Further details are available in the published NSA Cybersecurity Advisory; it offers guidance on prioritization and instrumentation.
This vulnerability may not seem flashy, but it is a critical issue. Trust mechanisms are the foundations on which the internet operates – and CVE-2020-0601 permits a sophisticated threat actor to subvert those very foundations.
NSA contributed to addressing this problem by discovering and characterizing the vulnerability, and then sharing with Microsoft quickly and responsibly. The company has provided the solution, and now all of us need to adopt it.