search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows CryptoAPI fails to properly validate ECC certificate chains

Vulnerability Note VU#849224

Original Release Date: 2020-01-14 | Last Revised: 2020-01-15

Overview

The Microsoft Windows CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography (ECC), which may allow an attacker to spoof the validity of certificate chains.

Description

The Microsoft Windows CryptoAPI, which is provided by Crypt32.dll, fails to validate ECC certificates in a way that properly leverages the protections that ECC cryptography should provide. As a result, an attacker may be able to craft a certificate that appears to have the ability to be traced to a trusted root certificate authority.

Any software, including third-party non-Microsoft software, that relies on the Windows CertGetCertificateChain() function to determine if an X.509 certificate can be traced to a trusted root CA may incorrectly determine the trustworthiness of a certificate chain.

Microsoft Windows versions that support certificates with ECC keys that specify parameters are affected. This includes Windows 10 as well as Windows Server 2016 and 2019. Windows 8.1 and prior, as well as the Server 2012 R2 and prior counterparts, do not support ECC keys with parameters. For this reason, such certificates that attempt to exploit this vulnerability are inherently untrusted by older Windows versions.

Impact

By exploiting this vulnerability, an attacker may be able to spoof a valid X.509 certificate chain on a vulnerable Windows system. This may allow various actions including, but not limited to, interception and modification of TLS-encrypted communications or spoofing an Authenticode signature.

Solution

Apply an update

This vulnerability is addressed in the Microsoft Update for CVE-2020-0601.

Vendor Information

849224
 
Affected   Unknown   Unaffected

Microsoft

Updated:  January 14, 2020

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 9.4 AV:N/AC:L/Au:N/C:C/I:C/A:N
Temporal 9.4 E:ND/RL:U/RC:C
Environmental 9.4 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This issue was disclosed by Microsoft, who in turn credit the National Security Agency (NSA).

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2020-0601
Date Public: 2020-01-14
Date First Published: 2020-01-14
Date Last Updated: 2020-01-15 00:03 UTC
Document Revision: 36

Sponsored by CISA.