The NSA Reports a Critical Windows Vulnerability warning of a critical vulnerability in Microsoft Windows’ cryptographic functionality. This is the first time that the National Security Agency has publicly taken credit for the discovery of a vulnerability, and it urges users to patch their systems immediately. The NSA report, released on January 14, says that “consequences of not patching the vulnerability are severe and widespread.” Sophisticated cyber attackers could come to understand this flaw very quickly and make rapid use of it, catching users off guard as certificates appear to be trustworthy.
This is a Zero-Day Windows Vulnerability
This is a certificate validation vulnerability, which would allow attackers to spoof cryptographic certificates and appear trustworthy. Using this weakness, an attacker could undermine the cryptographic trust that Windows normally verifies. The attacker would give a spoofed code-signing certificate, making it appear to be from a legitimate source. Another possibility would be for an attacker to administer man-in-the-middle attacks on user connections to the vulnerable software. Through this path, it would be possible to decrypt confidential information that would normally be kept secure.
This a zero-day vulnerability, which means that it is exploitable right now if you have not applied the January 2020 Windows updates yet. NSA cybersecurity researchers discovered it and notified Microsoft so it could create a patch addressing it.
Who does the vulnerability affect?
This vulnerability affects those using:
- Windows 10
- Windows Server 2016/2019
- Applications that rely on Windows for trust functionality
These are some examples of where trust validation could be undermined:
- HTTPS connections
- Signed emails and files
- Signed executable code launched as user-mode processes
What can you do to protect against these attacks?
The NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible. For large enterprises where automated patching may not be possible, administrators should immediately patch the endpoints that provide the most essential services that are the most relied upon. Those that host critical infrastructure such as DNS or VPN servers should be prioritized. Administrators should also prioritize the endpoints that have the highest risk of exploitation, such as those directly exposed to the internet and those employed by privileged users. In the case of exploitation before all systems are able to be patched, security teams should have remediation actions ready as a response.
Another way to help safeguard against an attack while systems are patching is to route traffic through proxy devices that perform TLS inspection without using Windows certificate validation. Since these TLS inspection proxies don’t go through Windows and instead independently validate TLS certificates from external entities, they should not face the vulnerabilities that the unpatched Windows certification systems present. They can therefore isolate vulnerabilities behind the proxies in the meantime while the company patches for Windows. If you go this route, make sure that certificate validation is enabled for the TLS proxies.
There are also other tools to analyze certificates more carefully, such as a packet capture analysis tool like Wireshark. This would extract certificates from network protocol data and analyze them, checking for malicious properties. Software such as OpenSSL and Windows Certutil can also perform these analyses.
Closing thoughts: patch now!
When the NSA reports a critical Windows vulnerability, it’s worth paying attention to. Some argue that that’s just what the NSA wants–to boost its image and gain positive recognition for the discovery of the vulnerability. But regardless of their motives, it’s always our philosophy to take cybersecurity warnings seriously. It is, after all, much better to be safe than sorry in this realm. We’re glad Microsoft is responsive in making its patches available, and we recommend making use of them and saving yourself from what could be a disaster.
For our customers that are enrolled with our Intelligent Threat Protection program, we prioritize zero-day patches to be applied the day they are released. If you’re still manually patching or using a WSUS server, contact us below to find out more about how we can help streamline your patching.
If you have yet to read up on the California Consumer Privacy Act, you can do so here. And if you haven’t patched blue keep yet, make sure you’re keeping up to date.