Update January 31, 2020: Client testing is now available at clienttest.ssllabs.com.
Update January 15, 2020: Detection dashboard now available.
Today, Microsoft released patch for CVE-2020-0601, aka Curveball, a vulnerability in windows “crypt32.dll” component that could allow attackers to perform spoofing attacks. This was discovered and reported by National Security Agency (NSA) Researchers. The vulnerability affects Windows 10 and Windows Server 2016/2019 systems.
This is a serious vulnerability and patches should be applied immediately. An attacker could exploit this vulnerability by using a spoofed code-signing certificate, meaning an attacker could let you download and install malware that pretended to be something legit, such as software updates, due to the spoofed digital signature. Examples where validation of trust may be impacted include:
There are no reports of active exploitation or PoC available in public domain at this point of time. However, per NSA advisory “Remote exploitation tools will likely be made quickly and widely available.”
The best method for identifying vulnerable hosts is through the Qualys Cloud Agent or via Qualys authenticated scanning. Qualys has issued a special QID (91595) for Qualys Vulnerability Management that covers only CVE-2020-0601 across all impacted Operating Systems. This QID will be included in signature version VULNSIGS-2.4.791-3, and requires authenticated scanning or the Qualys Cloud Agent. Cloud Agents will automatically receive this new QID as part of manifest version 2.4.791.3-2.
You can search for this within AssetView or the VM Dashboard by using the following QQL query:
vulnerabilities.vulnerability.cveIds:CVE-2020-0601 and
vulnerabilities.vulnerability.qid:91595
or use the pre-built CryptoAPI Spoofing vulnerability dashboard.
Customers using Qualys Patch Management with Cloud Agent can search for cve:CVE-2020-0601
in the Patch Catalog, and click “Missing” in the side panel to locate and deploy patches to all affected Operating Systems.
For emergency patching, you can create an On-demand Job and target it at the “Cloud Agent” tag to cover all hosts. For continuous patching, a Daily Job can be created with a 24-hour “Patch Window” to ensure all hosts will continue to receive the required patches. This patch does require a reboot.
Targeting specific operating systems is not necessary, and all patches can be placed into a single job. The Qualys Cloud Agent already knows which patch is needed for each host.
You can search for this within Qualys Patch Management by using the following QQL query:
cve:CVE-2020-0601
and patchStatus: Missing
In addition, Qualys customers can locate vulnerable host through Qualys Threat Protection. This helps in effectively identifying and tracking this vulnerability.
To start detecting and remediating this vulnerability now, get a Qualys Suite trial.