A new vulnerability has been found that affects Microsoft Windows cryptographic functionality. The exploit, CVE-2020-0601, leverages a remote code execution vulnerability present in cryptographic trust functionality. This affects Windows 10 and Windows Server 2016/2019. The remote code execution adopts the privileges of whom initiated the exploit – this could potentially lead to elevated or root privileges. While relevant in HTTPS connections, this exploit can be leveraged with Signed Emails or Files and Signed executable code launched as user-mode processes.
This exploit is incredibly severe, and a patch will not be released until sometime in February. The exploit is also easy to manipulate, and widespread exploitation is expected and should be prepared for.
Vulnerability to this exploit can be mitigated with a correctly configured decryption profile on Palo Alto NGFW. PAN-OS uses its own cryptographic functions and is therefore not exploitable via CVE-2020-0601.
Objects > Decryption Profile > No Decryption
Make sure ‘Block sessions with expired certificates’ and ‘Block sessions with untrusted issuers’ are both checked.
- What The Exploit Does: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
- Mitigation actions from Palo Alto: https://unit42.paloaltonetworks.com/threat-brief-windows-cryptoapi-spoofing-vulnerability-cve-2020-0601/