CVE-2020-0601
📋 TL;DR
This vulnerability allows attackers to spoof ECC certificates in Windows CryptoAPI, enabling them to sign malicious executables with trusted certificates. This affects Windows 10, Windows Server 2016/2019, and Windows Server 2012 when using ECC certificates. Attackers can make malware appear legitimate to bypass security checks.
💻 Affected Systems
- Windows 10
- Windows Server 2016
- Windows Server 2019
- Windows Server 2012
📦 What is this software?
Go by Golang
Go by Golang
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1709 by Microsoft
Windows 10 1709 by Microsoft
Windows 10 1709 by Microsoft
Windows 10 1803 by Microsoft
Windows 10 1803 by Microsoft
Windows 10 1803 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1903 by Microsoft
Windows 10 1903 by Microsoft
Windows 10 1903 by Microsoft
Windows 10 1909 by Microsoft
Windows 10 1909 by Microsoft
Windows 10 1909 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Nation-state actors or sophisticated attackers deploy malware signed with trusted certificates, bypassing all code signing protections and compromising critical infrastructure.
Likely Case
Targeted attacks against organizations using ECC certificates for code signing, allowing malware to bypass antivirus and security controls.
If Mitigated
Limited impact with proper patch management and certificate validation controls in place.
🎯 Exploit Status
Proof-of-concept code is publicly available. Exploitation requires certificate spoofing and code signing capabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: January 2020 security updates (KB4528760, KB4534273, etc.)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
Restart Required: Yes
Instructions:
1. Apply January 2020 Windows security updates. 2. Restart affected systems. 3. Verify patch installation via Windows Update history.
🔧 Temporary Workarounds
Disable ECC certificate validation
windowsTemporarily disable ECC certificate validation until patches can be applied
Not recommended as it breaks ECC functionality
🧯 If You Can't Patch
- Implement strict code signing policies and certificate validation
- Monitor for unusual certificate usage and code signing activities
🔍 How to Verify
Check if Vulnerable:
Check Windows version and patch level. Systems without January 2020 security updates are vulnerable.Check Version:
wmic os get caption,version,buildnumberVerify Fix Applied:
Verify KB4528760 or KB4534273 is installed via 'wmic qfe list' or Windows Update history.📡 Detection & Monitoring
Log Indicators:
- Unusual certificate validation failures
- Code signing events from unexpected sources
Network Indicators:
- Traffic from systems with spoofed certificates
SIEM Query:
EventID=4104 (Windows Defender) with certificate validation warnings OR suspicious code signing events🔗 References
- http://packetstormsecurity.com/files/155960/CurveBall-Microsoft-Windows-CryptoAPI-Spoofing-Proof-Of-Concept.html
- http://packetstormsecurity.com/files/155961/CurveBall-Microsoft-Windows-CryptoAPI-Spoofing-Proof-Of-Concept.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
- http://packetstormsecurity.com/files/155960/CurveBall-Microsoft-Windows-CryptoAPI-Spoofing-Proof-Of-Concept.html
- http://packetstormsecurity.com/files/155961/CurveBall-Microsoft-Windows-CryptoAPI-Spoofing-Proof-Of-Concept.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0601
