Skip to main content
banner image
venafi logo

CISA Emergency Directive: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday

CISA Emergency Directive: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday

windows vulnerability for machine identities
January 15, 2020 | Lindsy Drake

CISA issues an Emergency Directive

Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency directive giving federal agencies 10 days to patch Windows 10 systems against a major cryptographic flaw that was discovered by the National Security Administration (NSA).

This is the first time that NSA has been credited by Microsoft for reporting a security flaw. And it’s only the second time that CISA has issued an emergency directive. As reported in NextGov, CISA noted, “We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary.”




You Have 10 Days

Why the urgency?

Yesterday’s NSA advisory indicates, “NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”

The Vulnerability Explained

The CISA directive outlines the vulnerabilities as follows:

“The vulnerability in ECC certificate validation affects Windows 10, Server 2016, and Server 2019. It bypasses the trust store, allowing unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization, which may deceive users or thwart malware detection methods like anti-virus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows’ CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.

Vulnerabilities in the Windows Remote Desktop client (affecting all supported versions of Windows, including Server) and RDP Gateway Server (affecting Server 2012, 2016, 2019) allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.”

Examining the Impact

What is the possible impact of these critical vulnerabilities?

“Digital signature is one of the most important mechanisms Microsoft provides,” notes Pratik Salva, Venafi senior security engineer. “This process was created to prevent malicious payload distribution campaigns. Any compromise could spell significant trouble because attackers who are successful in spoofing code signing certificates can masquerade a malicious program as a legitimate Windows system binary.”

Pratik goes on to warn, “This weakness could be helpful in executing a variety of scenarios. For example, if an attacker is thinking of establishing a Remote Access Trojan (RAT) and a Command and Control (C2) channel on a targeted Windows machine, they look for ways to avoid detection of the payload to establish persistence. If attackers disguise a malicious executable binary so it looks like a Windows system binary, it can remain undetected by AV. This could allow attackers to blend in and install it, and they get the C2 channel re-established on reboot.”


"The jury is still out" 

The jury is still out on the true severity of this vulnerability. But anything that impacts the machine identities, which are the foundation of trust on which the internet operates, should be treated with appropriate caution. To maintain the cryptographic strength of non-person entities, it is important to have an automated solution that helps agencies protect all TLS certificates in case of cryptographic incidents.

Indeed, yesterday’s NSA advisory indicates, “Properly configured and managed TLS inspection proxies independently validate TLS certificates from external entities and will reject invalid or untrusted certificates, protecting endpoints from certificates that attempt to exploit the vulnerabilities. Ensure that certificate validation is enabled for TLS proxies to limit exposure to this class of vulnerabilities and review logs for signs of exploitation.”

Venafi helps federal agencies automate the TLS certificates throughout their security infrastructure, simplifying the process and providing assurance that properly configured and managed TLS certificates are available to critical systems.  


Related posts

Like this blog? We think you will love this.
Featured Blog

With Rapid Rise in Funds Stolen from DeFi Protocols, Private Keys in Play

Massive heist begins with

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Lindsy Drake
Lindsy Drake

Lindsy Drake writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more