insights

A Patchy Start to 2020

February 4, 2020

One month into 2020 and we’ve already had a wave of critical patches from the usual big software vendors. It started with lots of hype over Microsoft patching a flaw in Windows cryptography. I assumed, when hearing that it was a bug in certificate processing, that it’d be some issue with parsing certificates, as ASN.1 has had more than its fair share of vulnerabilities over the years, thanks to it being disgustingly complex.

But actually this was a logic bug related to how the library processes parameters when specifying a custom Elliptic Curve Cryptography (ECC) algorithm, something that very few legitimate certificates would ever do as most people use one of a number of default curves.

The consequences of the bug are that it’s possible to craft a certificate for a TLS website or for a signed piece of software, and have it verified by Windows as valid. That’s a pretty wide-ranging and serious bug that could wreak havoc if used by someone with privileged network access, which explains why the NSA disclosed it. It didn’t take long for Proofs-of-Concepts to appear, including the obligatory Rickroll.

This vulnerability underlines the value of certificate pinning; that is not only verifying the certificate signature chain, but also that the certificate is the one that is expected. Certificate pinning is routine in mobile applications, where it’s easy to hard-code into a single app, but is trickier to implement on a desktop platform, particularly to cover both websites and software.

Whilst it didn’t generate as much speculation, much more seriously, Microsoft also fixed three more Remote Code Execution (RCE) RDP bugs, which are still a hot topic following last year’s Bluekeep. And a few RCE vulnerabilities in Office too, just for variety. And an RCE in Internet Explorer, for old times’ sake.

On the hardware front, an unauthenticated RCE in Citrix VPN gateways is bad enough that some official advice (from a Dutch government body) has been to turn them off until the proper patch was released towards the end of January. Add to that advisories from Intel, Adobe and VMWare, and there’s plenty to be keeping sysadmins busy for the rest of the month.

TheRegister has a great summary of all the patches, here.

For our latest research, and for links and comments on other research, follow our Lab on Twitter.

Scott Lester
Cyber Lab Manager