Today, Microsoft released patch for CVE-2020-0601, a vulnerability in windows “crypt32.dll” component that could allow attackers to perform spoofing attacks. This was discovered and reported by National Security Agency (NSA) Researchers. The vulnerability affects Windows 10 and Windows Server 2016/2019 systems.
This is a serious vulnerability and patches should be applied immediately. An attacker could exploit this vulnerability by using a spoofed code-signing certificate, meaning an attacker could let you download and install malware that pretended to be something legit, such as software updates, due to the spoofed digital signature.
Detecting CVE-2020-0601 with Qualys VM
The best method for identifying vulnerable hosts is through the Qualys Cloud Agent or via Qualys authenticated scanning. Qualys has issued a special QID (91595) for Qualys Vulnerability Management that covers only CVE-2020-0601 across all impacted Operating Systems. This QID is included in signature version VULNSIGS-2.4.791-3, and requires authenticated scanning or the Qualys Cloud Agent. Cloud Agents will automatically receive this new QID as part of manifest version 2.4.791-3-2.
You can search for this within AssetView or the VM Dashboard by using the following QQL query:
Remediating with Qualys Patch Management:
Customers using Qualys Patch Management with Cloud Agent can search for cve:`CVE-2020-0601` in the Patch Catalog, and click “Missing” in the side panel to locate and deploy patches to all affected Operating Systems.
For QID 91595 (CVE-2020-0601), there is no patch available. Defender will download the update as part of its regular definition updates.
For emergency patching, you can create an On-demand Job and target it at the “Cloud Agent” tag to cover all hosts. For continuous patching, a Daily Job can be created with a 24-hour “Patch Window” to ensure all hosts will continue to receive the required patches. This patch does require a reboot.
Targeting specific operating systems is not necessary, and all patches can be placed into a single job. The Qualys Cloud Agent already knows which patch is needed for each host.
You can search for this within Qualys Patch Management by using the following QQL query:
cve:`CVE-2020-0601` and patchStatus: `Missing`
Qualys Threat Protection
In addition, Qualys customers can locate vulnerable host through Qualys Threat Protection. This helps in effectively identifying and tracking this vulnerability.
Get Started Now
To start detecting and remediating this vulnerability now, get a Qualys Suite trial.
*** This is a Security Bloggers Network syndicated blog from The Laws of Vulnerabilities – Qualys Blog authored by Animesh Jain. Read the original post at: https://blog.qualys.com/laws-of-vulnerabilities/2020/01/14/microsoft-windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-how-to-detect-and-remediate