CVE-2020-0601 Curveball Vulnerability Guidance

Immediate Action Required 1/22/2020

Microsoft has released a security update to fix "a broad cryptographic vulnerability" impacting the Windows operating system.

The bug was discovered and reported by the US National Security Agency (NSA)

THE CVE-2020-0601 BUG

The vulnerability, (also known as “Curveball”) tracked as CVE-2020-0601, impacts the Windows CryptoAPI, a core component of the Windows operating system that handles cryptographic operations. According to a Microsoft security advisory, a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

Microsoft says that an attacker could exploit this bug to sign a malicious executable, making it appear the file was from a trusted, legitimate source. But besides faking file signatures, the bug could also be used to fake digital certificates used for encrypted communications. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

According to Microsoft, this vulnerability impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions.

HmC Guidance

Per DoD Guidance all Windows 10 (including AF Standard Desktop), Windows Server 2019, and Windows Server 2016 Systems must be patched using the Security Updates downloadable here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601.

All HmC teams are responsible for patching their own deployed systems, and as Team Manager or designated POC, you will be responsible for disseminating this information as you see fit to your own teams, HmC Project Owners, etc. for action. As always, the best option is to redeploy your system(s), which will pull in additional updates at the OS and application level, depending on your design. When it is not possible to redeploy, running Windows Updates on the running system will usually install the necessary remediation. Alternately, downloading the patch from the link above might be a faster option.

These patches are considered critical, and we require all HmC Teams to self-report successful patching of their relevant systems within 5 business days of receiving this notice. Please send the patch confirmation email to support@cons3rt.com.

If a Team is found to be in non-compliance of this policy, or if we receive no response via email to support@cons3rt.com within 5 Business Days, due to the severity of this vulnerability, we will begin disabling external network access for cloudspaces with unpatched systems.

There should also be an email in the inbox of all HmC Team Managers and Team POCs as of 1/22/2020

**Note: To determine the installed hotfixes, open a powershell prompt and run the following command:

winver.exe

**Note: If you encounter an error installing the updates, open a powershell prompt and run the following command:

& cmd /c "sc config TrustedInstaller start= demand"

UPDATE 1/28/2020 for Windows 10 Users with GPU-enabled Runs

For users with unpatched Windows 10 runs with GPU enabled Please read the below before patching or redeploying:

There is currently an issue with the GPU-enabled Windows 10 instances RDP (Remote Access) failing after the Windows Update. Starting with Windows feature update 1903, there is a known bug where if you have a GPU, RDP sessions will fail to connect or connect with a black screen. A fix was pushed back in August, but does not appear to have resolved the issue, since the bug still pops up in the latest feature update 1909. The fix is to disable the newer windows WDDM drivers and revert to the older XDDM driver through the registry or group policy.

To make this change, we can either run this Powershell cmd (as administrator):

& REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v "fEnableWddmDriver" /t REG_DWORD /d 0 /f

Or navigate to Group Policy and make the change via the GUI under Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > Configure compression for RemoteFX data.


Please reach out to support@cons3rt.com if you have questions about these required actions.