Skip to content

Instantly share code, notes, and snippets.

@SwitHak

SwitHak/20200114-TLP-WHITE_CVE-2020-0601.md

Last active November 11, 2025 11:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save SwitHak/62fa7f8df378cae3a459670e3a18742d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save SwitHak/62fa7f8df378cae3a459670e3a18742d to your computer and use it in GitHub Desktop.
Download ZIP
BlueTeam CheatSheet * CVE-2020-0601 * crypt32.dll | Last updated: 2020-01-21 1817 UTC
Raw
20200114-TLP-WHITE_CVE-2020-0601.md

CVE-2020-0601

General

  • Microsoft disclosed a vulnerability in their routinely Patch Tuesday refereced under CVE-2020-0601.
  • The vulnerability was discovered by the U.S. National Security Agency in their press conference and followed by a blog post and an official security advisory.
  • The flaw is located in the "CRYPT32.DLL".

Vulnerability explanation

  • NSA description:

  • NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality.

  • The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.

  • The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.

  • Examples where validation of trust may be impacted include:

    • HTTPS connections
    • Signed files and emails
    • Signed executable code launched as user-mode processes

  • The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors.

  • NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.

  • The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.

  • Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.

  • Author's note: still assessing the situation

REFERENCES

How-To detect that

Vendors detections

Microsoft

Inside Windows logs

  • Matt Graeber gave a us a oneliner command to check quickly in the log if there's any evidence of an event linked to CVE-2020-0601 (Application/EID 1-2)
Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName = 'Microsoft-Windows-Audit-CVE' } | select -Property * -ExcludeProperty MachineName, UserId

Crowdstrike

Symantec

McAfee

  • [TBD]

Sophos

  • [TBD]

ESET

  • [TBD]

Kaspersky

  • [TBD]

DETECT

Detect the version of current "crypto32.dll"

Check the file signatures and dates

  • Eg: On windows 10, the new DLL is signed with the following timestamp "Friday 3 january 2020 06:14:45"
  • Eg: On Windows 10, the new DLL has the following serial number "330000023241fb59996dcc4dff000000000232"
  • PowerShell & SCCM are your friends to gain a visibility in your networks
@Jm56Z
Copy link

Jm56Z commented Jan 15, 2020
edited
Loading

Is it possible to update only that DLL ? (I don't really want to update my entire system for 1 faulty file)

If yes, on what versions of Windows does it work ? (I have 1903 on x86 system, I can check this one for you.)

@Qix-
Copy link

Qix- commented Jan 16, 2020
edited
Loading

@Jm56Z in theory. But it's also best to apply the official hotfixes. Windows update usually allows you to select individual updates you'd like to install.

@SwitHak
Copy link
Author

SwitHak commented Jan 16, 2020
edited
Loading

Is it possible to update only that DLL ? (I don't really want to update my entire system for 1 faulty file)

If yes, on what versions of Windows does it work ? (I have 1903 on x86 system, I can check this one for you.)

Hi,
I advise you to update through Windows Update. I didn't try to just replace the file so I can't tell you.

@Jm56Z in theory. But it's also best to apply the official hotfixes. Windows update usually allows you to select individual updates you'd like to install.

Hi, through the Microsoft Update catalog, select the following KB :"KB4534273"

@opexxx
Copy link

opexxx commented Jan 16, 2020

https://blog.lessonslearned.org/chain-of-fools/

@bdeb1337
Copy link

bdeb1337 commented Jan 16, 2020

@SwitHak
https://gist.github.com/kitkaat/b74134bc27686884c777bd219f4df4a8/revisions

Can you check the revisions I made and consider adding them to your gist?
It includes a small variance of checking the crypt32.dll version number (where the last digit didn't show up for me with the current command), and the file-hashes and signing date for the server 2016 1607 versions of the file.

Kind regards,

kitkaat

@bdeb1337
Copy link

bdeb1337 commented Jan 16, 2020

Is it possible to update only that DLL ? (I don't really want to update my entire system for 1 faulty file)
If yes, on what versions of Windows does it work ? (I have 1903 on x86 system, I can check this one for you.)

Hi,
I advise you to update through Windows Update. I didn't try to just replace the file so I can't tell you.

@Jm56Z in theory. But it's also best to apply the official hotfixes. Windows update usually allows you to select individual updates you'd like to install.

Hi, through the Microsoft Update catalog, select the following KB :"KB4534273"

I would also advise against the idea to manually update the crypt32.dll as this is most likely not the only dll which changed in the update. If you visit https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0601 and click on a corresponding KB article link, you can find a link at the bottom of that page for a "file information" csv download for that specific KB, which showcases all the version changes to files and that contains way more libs and files than just crypt32.dll.

@Qix-
Copy link

Qix- commented Jan 16, 2020

Yes, apologies; my in theory was not meant as a recommendation. Please don't do manual security updates; you're asking for problems. Use official means of patching/updating, as others have mentioned.

@malwareforme
Copy link

malwareforme commented Jan 16, 2020

Emerging Threats has network coverage in:

  • 2840457 - ETPRO EXPLOIT Possible Spoofed ECDSA Certificate Inbound (CVE-2020-0601) M1 (exploit.rules)
  • 2840458 - ETPRO EXPLOIT Possible Spoofed ECDSA Certificate Inbound (CVE-2020-0601) M2 (exploit.rules)

@SwitHak
Copy link
Author

SwitHak commented Jan 16, 2020

Emerging Threats has network coverage in:

  • 2840457 - ETPRO EXPLOIT Possible Spoofed ECDSA Certificate Inbound (CVE-2020-0601) M1 (exploit.rules)
  • 2840458 - ETPRO EXPLOIT Possible Spoofed ECDSA Certificate Inbound (CVE-2020-0601) M2 (exploit.rules)

Hi,
Thanks for the information, updated 👍

@SwitHak
https://gist.github.com/kitkaat/b74134bc27686884c777bd219f4df4a8/revisions

Can you check the revisions I made and consider adding them to your gist?
It includes a small variance of checking the crypt32.dll version number (where the last digit didn't show up for me with the current command), and the file-hashes and signing date for the server 2016 1607 versions of the file.

Kind regards,

kitkaat

Hi,
Can you share a screenshot of the difference between the 2 commands ?
And same for the timestamp date of crypt32.dll for server 2016 1607 version ?
Thanks in advance.

@zined
Copy link

zined commented Jan 16, 2020

should i be worried if powershell and explorer give me two different versions?

crypt32-dll-powershell-vs-rightclick

@bdeb1337
Copy link

bdeb1337 commented Jan 16, 2020

should i be worried if powershell and explorer give me two different versions?

crypt32-dll-powershell-vs-rightclick

You probably still have the old version loaded in memory, I guess? Did you reboot your computer after installing the update to allow the OS to load the new dll?

@zined
Copy link

zined commented Jan 16, 2020

You probably still have the old version loaded in memory, I guess? Did you reboot your computer after installing the update to allow the OS to load the new dll?

yupp, just rebooted again. keeps showing different versions.

@bdeb1337
Copy link

bdeb1337 commented Jan 16, 2020

@SwitHak

Sure, here you go:

image
image

Kind regards.

@bdeb1337
Copy link

bdeb1337 commented Jan 16, 2020
edited
Loading

@zined

yupp, just rebooted again. keeps showing different versions.

what version does
[System.Diagnostics.FileVersionInfo]::GetVersionInfo("C:\Windows\System32\crypt32.dll").FileVersionRaw.ToString()
give you ?

@zined
Copy link

zined commented Jan 16, 2020

what version does
[System.Diagnostics.FileVersionInfo]::GetVersionInfo("C:\Windows\System32\crypt32.dll").FileVersionRaw.ToString()
give you ?

just read your above comment, here you go:

fileversion-vs-fileversionrawtostring

@bdeb1337
Copy link

bdeb1337 commented Jan 16, 2020

@zined

Thank you kindly for testing it out. That shows the same behaviour I saw on server 2016 1607. I think the most reliable variable to check the current crypt32.dll version is FileVersionRaw instead of FileVersion, as we both experienced that FileVersion could differ with what the GUI displays.
What OS version are you running ?

@zined
Copy link

zined commented Jan 16, 2020

Thank you kindly for testing it out.

don't thank me, i'm learning some powershell on-the-go ;-) <3

What OS version are you running ?

os-version

@Qix-
Copy link

Qix- commented Jan 17, 2020
edited
Loading

I would actually guess you have two different versions of crypt32.dll installed and they're reading different versions. It's not unheard of for Windows to copy DLLs all over the place for convenience/un-optimized build/packaging processes.

Would be interested to look at the file handles of each process pulling the versions to see which exact canonical file paths are being loaded into memory when performing the version retrieval, as this might indicate another potential vector if the hotfixes aren't updating all copies of crypt32.dll.

Then again, I'm not a windows expert and I'm not doing any research on this particular vuln, so I might be talking out of my ass. However, the mismatch of versions is very troublesome, especially since it has been reproduced by another individual (for a total of at least 2).

@XtinaSchelin
Copy link

XtinaSchelin commented Jan 17, 2020

Rapid7 also has an entry in its vuln db: https://www.rapid7.com/db/vulnerabilities/msft-cve-2020-0601

@matlink
Copy link

matlink commented Jan 17, 2020
edited
Loading

Why the hell it is possible for a server to send a root certificate which is normally available client-side?

@bdeb1337
Copy link

bdeb1337 commented Jan 17, 2020

Would be interested to look at the file handles of each process pulling the versions to see which exact canonical file paths are being loaded into memory when performing the version retrieval, as this might indicate another potential vector if the hotfixes aren't updating all copies of crypt32.dll.

Then again, I'm not a windows expert and I'm not doing any research on this particular vuln, so I might be talking out of my ass. However, the mismatch of versions is very troublesome, especially since it has been reproduced by another individual (for a total of at least 2).

I tried to trace it with procmon.exe (sysinternals) and it looks to me the commands pull the same file from the same path. So I believe FileVersion is not a reliable parameter to base a test on, but FileVersionRaw.Tostring() is.

ProcMon trace with the .FileVersion command:

image

ProcMon trace with the .FileVersionRaw.ToString() command:

image

@Jm56Z
Copy link

Jm56Z commented Jan 17, 2020

So, I finally got Windows to download and install the sole fix for this exploit (It really wanted to download some others updates I don't want, I prefer to check if they're stable before doing them).
The update size is 84 GB.
Thanks @kitkaat !

@flizzer
Copy link

flizzer commented Jan 18, 2020

Many thanks @SwitHak and @kitkaat! This Gist helped me greatly with patching today.

@SwitHak
Copy link
Author

SwitHak commented Jan 21, 2020
edited
Loading

@SwitHak

Sure, here you go:

image
image

Kind regards.

Hi,
Sorry for the delay.
I chose finally your command, despite i wasn't unable to reproduce your output.
Regards,
SwitHak.

@Zs7Varga
Copy link

Zs7Varga commented Jan 22, 2020

To determine number of devices received and installed the patch and how many still required to do so (only if you deployed the patch already from SCCM ) - you can use the following SQL or create a report in SSRS.
use cm_j01
/
SELECT

  • FROM CM_J01.INFORMATION_SCHEMA.TABLES
    WHERE TABLE_TYPE = 'VIEW' and TABLE_NAME like '%quick%'
    select * from v_gs_quick_fix_engineering where HotFixID0 in ('KB4528760',
    'KB4534271',
    'KB4534273',
    'KB4534276',
    'KB4534293',
    'KB4534306',
    'KB4528760')
    */

--
Select [Update],Sum([Installed]) 'Installed' ,sum([Not Installed]) 'Not Installed' from (
Select [update] , count([computer]) 'Installed',0 'Not Installed' from
(
SELECT DISTINCT
SYS.Name0 'Computer',
SYS.Operating_System_Name_and0 'OS',
UIN.Title 'Update',
CASE
WHEN UIN.Title LIKE '%KB4528760%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534271%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534273%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534276%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534293%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534306%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
ELSE 'No'
END 'KB Installed'

FROM v_R_System SYS
left JOIN v_UpdateComplianceStatus UCS ON SYS.ResourceID = UCS.ResourceID
left JOIN v_UpdateInfo UIN ON UCS.CI_ID = UIN.CI_ID

WHERE
(UIN.Title LIKE '%KB4528760%') OR
(UIN.Title LIKE '%KB4534271%') OR
(UIN.Title LIKE '%KB4534273%') OR
(UIN.Title LIKE '%KB4534276%') OR
(UIN.Title LIKE '%KB4534293%') OR
(UIN.Title LIKE '%KB4534306%')

) A
where [KB Installed]='Yes'
group by [update]
-- ORDER BY SYS.Name0
UNION
Select [update] , 0 'Installed' ,count([computer]) 'Not Installed' from
(
SELECT DISTINCT
SYS.Name0 'Computer',
SYS.Operating_System_Name_and0 'OS',
UIN.Title 'Update',
CASE
WHEN UIN.Title LIKE '%KB4528760%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534271%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534273%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534276%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534293%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534306%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
ELSE 'No'
END 'KB Installed'

FROM v_R_System SYS
left JOIN v_UpdateComplianceStatus UCS ON SYS.ResourceID = UCS.ResourceID
left JOIN v_UpdateInfo UIN ON UCS.CI_ID = UIN.CI_ID

WHERE
(UIN.Title LIKE '%KB4528760%') OR
(UIN.Title LIKE '%KB4534271%') OR
(UIN.Title LIKE '%KB4534273%') OR
(UIN.Title LIKE '%KB4534276%') OR
(UIN.Title LIKE '%KB4534293%') OR
(UIN.Title LIKE '%KB4534306%')

) A
where [KB Installed]='No'
group by [update]
) C group by [Update]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment