Certificate validation vulnerability in Microsoft Windows
Details
On 15 January 2020 (NZDT), Microsoft released a security advisory detailing a vulnerability in how Windows validates digital certificates. This vulnerability has been assigned CVE number CVE-2020-0601 and affects the following versions of Windows:
- Windows 10
- Windows Server 2016 and 2019
Although Microsoft has rated the severity of this vulnerability as important, various other sources have rated it as critical with an assessment that exploitation of the vulnerability is likely to occur.
As this vulnerability affects the validation of digital certificates, it has the potential to affect any security functionality that relies on trusting certificates. This includes but is not necessarily limited to:
- TLS/HTTPS connections, potentially allowing for man-in-the-middle attacks.
- Signed executable code, potentially bypassing any restrictions based on code signing.
- Signed files and emails.
Recommendations
The NCSC recommends the relevant security updates as detailed in the “January 2020 Security Updates” release notes are applied as soon as possible to all affected Windows systems.
Priority should be given to internet-facing or critical internal services that rely on TLS validation.
References:
US National Security Agency Advisory:
Microsoft Security Response Centre CVE-2020-0601:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601(external link)
Microsoft Security Response Centre January 2020 Security Updates:
https://portal.msrc.microsoft.com/en-US/security-guidance/releasenotedetail/2020-Jan(external link)