5.8
CVSSv2

CVE-2020-0601

Published: 14/01/2020 Updated: 16/01/2020
CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Vulnerability Summary

A vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. The vulnerability affects Microsoft Windows®1 cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.

Vulnerability Trend

Affected Products

Vendor Product Versions
MicrosoftWindows 10-, 1607, 1709, 1803, 1809, 1903, 1909
MicrosoftWindows Server 2016-, 1803, 1903, 1909
MicrosoftWindows Server 2019-

Vendor Advisories

The stable channel has been updated to 7903945130 for Windows, Mac, and Linux, which will roll out over the coming days/weeks A list of all changes is available in the log Interested in switching release channels? Find out how If you find a new issue, please let us know by filing a bug The community help forum is also a great place to ...

Github Repositories

CVE-2020-0601 proof of concept

这资源是作者复现微软签字证书漏洞CVE-2020-0601,结合相关资源及文章实现。推荐大家结合作者博客,理解ECC算法、Windows验证机制,并尝试自己复现可执行文件签名证书和HTTPS劫持的例子。作为网络安全初学者,自己确实很菜,但希望坚持下去,加油!

这资源是作者复现微软签字证书漏洞CVE-2020-0601,结合相关资源及文章实现。推荐大家结合作者博客,复现了该漏洞和理解恶意软件自启动劫持原理。作为网络安全初学者,自己确实很菜,但希望坚持下去,一起加油!

This repository aims to hold suggestions (and hopefully/eventually code) for CTF challenges. The "project" is nicknamed Katana.

Recent Articles

How Malware Gains Trust by Abusing the Windows CryptoAPI Flaw
BleepingComputer • Lawrence Abrams • 17 Jan 2020

The new Windows CryptoAPI CVE-2020-0601 vulnerability disclosed by the NSA can be abused by malware developers to sign their executables so that they appear to be from legitimate companies. This creates trust in the program, which may cause a user to be more willing to execute them.
Most of the coverage of this vulnerability illustrates how the vulnerability can be exploited to spoof certificates used for TLS connections to web sites and perform MiTM attacks.
For example, Kudelski Se...

Bad news: Windows security cert SNAFU exploits are all over the web now. Also bad: Citrix gateway hole mitigations don't work for older kit
The Register • Shaun Nichols in San Francisco • 16 Jan 2020

Good news: There is none. Well, apart from you can at least fully patch the Microsoft blunder

Vid Easy-to-use exploits have emerged online for two high-profile security vulnerabilities, namely the Windows certificate spoofing bug and the Citrix VPN gateway hole. If you haven't taken mitigation steps by now, you're about to have a bad time.
While IT admins can use the proof-of-concept exploit code to check their own systems are secure, miscreants can use them to, in the case of Citrix, hijack remote systems, or in the case of Windows, masquerade malware as legit apps or potentially ...

Google Chrome Adds Protection for NSA's Windows CryptoAPI Flaw
BleepingComputer • Lawrence Abrams • 16 Jan 2020

Google just released Chrome 79.0.3945.130, which will now detect certificates that attempt to exploit the NSA discovered CVE-2020-0601 CryptoAPI Windows vulnerability.
As part of Microsoft's January 2020 Patch Tuesday, security updates were released for a vulnerability discovered by the NSA in the Windows CryptoAPI library Crypt32.dll.
This vulnerability allows attackers to create TLS and code-signing certificates that spoof, or impersonate, other companies to perform man-in-the-mi...

PoCs for Windows CryptoAPI Bug Are Out, Show Real-Life Exploit Risks
BleepingComputer • Sergiu Gatlan • 16 Jan 2020

Proof-of-concept exploit code is now available for the Windows CryptoAPI spoofing vulnerability tracked as CVE-2020-0601 and reported by the National Security Agency (NSA), just two days after Microsoft released a patch.
The PoC exploits for the flaw now known as CurveBall (per security researcher Tal Be'ery) were publicly released during the last 24 hours by Swiss cybersecurity outfit Kudelski Security and ollypwn.
British hardware hacker Saleem Rashid also developed a CurveBall PoC...

Microsoft Patch Tuesday – January 2020
Symantec Threat Intelligence Blog • Preethi Koroth • 15 Jan 2020

This month the vendor has patched 49 vulnerabilities, 8 of which are rated Critical.

Posted: 15 Jan, 202014 Min ReadThreat Intelligence SubscribeMicrosoft Patch Tuesday – January 2020This month the vendor has patched 49 vulnerabilities, 8 of which are rated Critical.This month the vendor has patched 49 vulnerabilities, 8 of which are rated Critical.

As always, customers are advised to follow these security best practices:


Install vendor patches as soon as they are available.
Run all softw...

Microsoft patches severe Windows flaw after tip‑off from NSA
welivesecurity • Tomáš Foltýn • 15 Jan 2020

Microsoft has shipped out a security patch to address a serious vulnerability in the Windows operating system that, if abused, could enable attackers to make malware appear as though it was code from a legitimate source.
The vulnerability, which is being fixed as part of this month’s Patch Tuesday rollout, affects a key cryptographic component of Windows 10, Windows Server 2019 and Windows Server 2016. The flaw was discovered by the United States’ National Security Agency (NSA), which,...

Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows cert-spoofing bugs, RDP flaws...
The Register • Shaun Nichols in San Francisco • 14 Jan 2020

Grab your Microsoft, Adobe, SAP, Intel, and VMware fixes now

Patch Tuesday In the first Patch Tuesday of the year, Microsoft finds itself joined by Adobe, Intel, VMware, and SAP in dropping scheduled security updates.
This month's Microsoft security fixes include three more remote-code-execution vulnerabilities in Redmond's Windows Remote Desktop Protocol software. Two of the flaws (CVE-2020-0609, CVE-2020-0610) are present on the server side in RD Gateway – requiring no authentication – while a third (CVE-2020-0611) is found on the client side....

Oracle Ties Previous All-Time Patch High with January Updates
Threatpost • Tara Seals • 14 Jan 2020

Oracle has patched 334 vulnerabilities across all of its product families in its January 2020 quarterly Critical Patch Update (CPU). Out of these, 43 are critical/severe flaws carrying CVSS scores of 9.1 and above. The CPU ties for Oracle’s previous all-time high for number of patches issued, in July 2019, which overtook its previous record of 308 in July 2017.
The company said in a pre-release announcement that some of the vulnerabilities affect multiple products. “Due to the threat ...

NSA's First Public Vulnerability Disclosure: An Effort to Build Trust
BleepingComputer • Sergiu Gatlan • 14 Jan 2020

The U.S. National Security Agency (NSA) started a new chapter after discovering and reporting to Microsoft a vulnerability tracked as CVE-2020-0601 and impacting Windows 10 and Windows Server systems.
In a phone conference that Bleeping Computer joined, NSA's Director of Cybersecurity Anne Neuberger said that this is the first time the agency decided to publicly disclose a security vulnerability to a software vendor.
"We thought hard about that. When Microsoft asked us, 'Can we a...

Microsoft Fixes Windows CryptoAPI Spoofing Flaw Reported by NSA
BleepingComputer • Sergiu Gatlan • 14 Jan 2020

Microsoft patched a spoofing vulnerability present in the Windows usermode cryptographic library, CRYPT32.DLL, on Windows 10, Windows Server 2016, and Windows Server 2019 systems.
In a media call with the NSA that Bleeping Computer joined, the National Security Agency (NSA) stated that they discovered this vulnerability and immediately reported it to Redmond's security team.
Both NSA and Microsoft say that the vulnerability hasn't yet been exploited in the wild, while the agency re...

Microsoft's January 2020 Patch Tuesday Fixes 49 Vulnerabilities
BleepingComputer • Lawrence Abrams • 14 Jan 2020

Today is Microsoft's January 2020 Patch Tuesday and also the Windows 7 end of life. This is going to be a stressful day for your Windows administrators, so be nice!
With the release of the January 2020 security updates, Microsoft has released fixes for 49 vulnerabilities. Of these vulnerabilities, 7 are classified as Critical, 41 as Important, and 1 as Moderate.
One of the 'Critical' vulnerabilities fixed today was discovered by the NSA and could allow attackers to spoof digital ce...