Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency directive giving federal agencies 10 days to patch Windows 10 systems against a major cryptographic flaw that was discovered by the National Security Administration (NSA).
This is the first time that NSA has been credited by Microsoft for reporting a security flaw. And it’s only the second time that CISA has issued an emergency directive. As reported in NextGov, CISA noted, “We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary.”
You Have 10 Days
Why the urgency?
Yesterday’s NSA advisory indicates, “NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”
The CISA directive outlines the vulnerabilities as follows:
“The vulnerability in ECC certificate validation affects Windows 10, Server 2016, and Server 2019. It bypasses the trust store, allowing unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization, which may deceive users or thwart malware detection methods like anti-virus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows’ CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.
Vulnerabilities in the Windows Remote Desktop client (affecting all supported versions of Windows, including Server) and RDP Gateway Server (affecting Server 2012, 2016, 2019) allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.”
What is the possible impact of these critical vulnerabilities?
“Digital signature is one of the most important mechanisms Microsoft provides,” notes Pratik Salva, Venafi senior security engineer. “This process was created to prevent malicious payload distribution campaigns. Any compromise could spell significant trouble because attackers who are successful in spoofing code signing certificates can masquerade a malicious program as a legitimate Windows system binary.”
Pratik goes on to warn, “This weakness could be helpful in executing a variety of scenarios. For example, if an attacker is thinking of establishing a Remote Access Trojan (RAT) and a Command and Control (C2) channel on a targeted Windows machine, they look for ways to avoid detection of the payload to establish persistence. If attackers disguise a malicious executable binary so it looks like a Windows system binary, it can remain undetected by AV. This could allow attackers to blend in and install it, and they get the C2 channel re-established on reboot.”
The jury is still out on the true severity of this vulnerability. But anything that impacts the machine identities, which are the foundation of trust on which the internet operates, should be treated with appropriate caution. To maintain the cryptographic strength of non-person entities, it is important to have an automated solution that helps agencies protect all TLS certificates in case of cryptographic incidents.
Indeed, yesterday’s NSA advisory indicates, “Properly configured and managed TLS inspection proxies independently validate TLS certificates from external entities and will reject invalid or untrusted certificates, protecting endpoints from certificates that attempt to exploit the vulnerabilities. Ensure that certificate validation is enabled for TLS proxies to limit exposure to this class of vulnerabilities and review logs for signs of exploitation.”
Venafi helps federal agencies automate the TLS certificates throughout their security infrastructure, simplifying the process and providing assurance that properly configured and managed TLS certificates are available to critical systems.