CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability

Severity

High

Vendor

Microsoft Corporation

Description

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka ‘Windows CryptoAPI Spoofing Vulnerability’.

Affected Cloud Foundry Products and Versions

• Windows Stemcells
  • All versions prior to 2019.15
• Windows1803fs Release
  • All versions of Windows1803fs Release prior to v3.3.0
• Windows2019fs Release
  • All versions of Windows2019fs Release prior to v2.4.0
• CF Deployment
  • All versions of CF Deployment prior to v12.27.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

• Windows Stemcells
  • Upgrade all Windows Stemcells versions to 2019.15 or greater
• Windows1803fs Release
  • Upgrade all Windows1803fs Release versions to v3.3.0 or greater
• Windows2019fs Release
  • Upgrade all Windows2019fs Release versions to v2.4.0 or greater
• CF Deployment
  • Upgrade all CF Deployment versions to v12.27.0 or greater

History

2020-01-22: Initial vulnerability report published.