How #ZENworks2020 can protect against the Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)


Yesterday (January 14, 2020), the National Security Agency (NSA) reported a vulnerability in the cryptographic library, CRYPT32.DLL, used by Windows 10 and Windows Server 2016/2019. The vulnerability was labeled Windows CryptoAPI Spoofing Vulnerability and given an ID of CVE-2020-0601. It has also started to be referred to as CurveBall because the flaw is in Microsoft's implementation of Elliptic Curve Cryptography.

About the vulnerability

According to the vulnerability description, attackers can exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source. As a result, users could then download and install the malware expecting it to be a safe file. The NSA Cybersecurity Advisory states that “examples of where validation of trust may be impacted include: HTTPS connections, signed files and emails, [and] signed executable code launched as user-mode processes.”

Recommended action

The same day the vulnerability was reported, Microsoft released patches that fix it. The NSA Cybersecurity Advisory “recommends installing all January 2020 Patch Tuesday patches as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems.” In addition, “NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly…rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”

16-JAN-2020 UPDATE: Proof-of-concept exploits have now been published with Acting Homeland Security Advisor Rob Joyce describing the bug as "seriously, seriously bad." Read about it in this ZDNet article.

Using ZENworks 2020 to mitigate the vulnerability

ZENworks 2020 is uniquely positioned to help you mitigate critical vulnerabilities like the Windows CryptoAPI Spoofing Vulnerability. ZENworks Patch Management has long provided the ability to quickly apply patches to devices. ZENworks 2020 introduced the ability to identify software vulnerabilities by CVE ID, remediate those vulnerabilities through one-click deployment of the patch to impacted devices, and then track the remediation progress across your ZENworks zone.

Here's how you do it.

1. Run the CVE Subscription service

ZENworks uses the CVE Subscription service to download CVE data from the U.S. National Vulnerability Database each day. If you already have the CVE Subscription service running, CVE-2020-0601 should be downloaded by now. If you don’t have the service running, start it. In ZENworks Control Center, click Subscribe and Share. In the Subscriptions list, click New > Subscription and create the subscription. At the end of the wizard, make sure to select the Run Now option to run the subscription as soon as it is created.

2. Run the Patch Subscription service

This ensures that the January 2020 Patch Tuesday patches are downloaded and that the CVE-2020-0601 data is mapped to the patches that fix it. In ZCC, click Security > Patch Dashboard, then expand the Patch Subscription Status dashlet and click the Discover Patches link to initiate the download.

3. Run a Patch scan on your devices

If you don’t already have your own favorite way of doing this, try going to the Devices list in ZCC, selecting the devices you need to scan, then clicking Quick Tasks > Initiate Patch Scan.

4. Create a CVE Tracker dashlet

The CVE Tracker dashlet lets you see which devices have the vulnerability and then apply the patch required to remediate the devices.


You’ll notice that the dashlet shows the total number of devices to which the CVE is applicable and the number of those devices that are still vulnerable (2/2). The red arrow indicates that the vulnerable device count is trending up, which makes sense because I just ran a scan on the devices to discover they are vulnerable.

Here’s how you create the dashlet:

  1. In ZCC, click Security to display the Security dashboard.

  2. Click the CVE Tracker dashlet to create a new dashlet.

  3. Click Add/Remove in the Configuration panel to display the Select CVEs dialog, enter CVE-2020-0601 in the Search box to locate the CVE in the list, select the CVE, then click OK to add the CVE.

  4. In the Name field, type CVE-2020-0601, then click Apply.

    If the Patch scan has completed on devices, any devices that require the January 2020 Patch Tuesday patch to fix the vulnerability are added to the dashlet in the Device Details list. This list shows all devices to which the CVE is applicable and whether or not a device is Vulnerable (needs patching) or is Not Vulnerable (has the patch already). In my test zone, I have two Windows 10 devices (version 1803 and 1903) and both are vulnerable.

  5. Click the menu icon dvandenbos_4-1579136489995.png above the Configuration panel, click Save As, type Windows 10 CryptoAPI Spoofing Vulnerability for the dashlet name, then click OK to save it to the Security dashboard.


Use the dashlet to remediate devices and track progress

Now that the dashlet is created, you can use it apply the CVE’s patches to devices and track the progress of your remediation efforts across all impacted devices.

  1. Expand the dashlet.

  2. In the device list, select the devices you want to remediate, then click Deploy Remediation.

    If the required patches have not already been downloaded, the Patch Status dialog is displayed to show that the patches are now being downloaded. In my case, I only selected the Windows 10 1903 device to remediate, so only the patch for that version is being downloaded. If I had selected both versions, patches for each version would be downloaded.

  3. When the download is complete, click Continue, then complete the Remediation wizard to deploy the patches to the selected devices.

    After the patch is applied to a device and the status is reported back to the ZENworks server, the dashlet is updated to show the new vulnerability status of each device.

    One last item to note about the dashlet is that the Vulnerability Status gives the current status of devices while the Vulnerability Trend shows whether the number of vulnerable devices has increased or decreased over time. However, Vulnerability Trend is only available if you have configured the Vertica database, included in ZENworks 2020, to store the data. You can find out more about Vertica in the ZENworks 2020 documentation.

Final Thoughts

Software vulnerabilities are a fact of life. However, some are worse than others, and when the NSA reports one and then issues a Cybersecurity Advisory about it, it is best to pay some attention to it. And with ZENworks 2020, you have the tools you need to do just that!


How To-Best Practice
Comment List