Using Live Query to Audit Your Environment for the Windows CryptoAPI Spoofing Vulnerability

This week, as part of its monthly patch Tuesday release, Microsoft disclosed an important security vulnerability (CVE-2020-0601) affecting millions of Windows 10 and Windows Server 2016 & 2019 systems. More specifically, this vulnerability is a result of the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates, which could allow an attacker to perform a man-in-the-middle attack. According to the Microsoft advisory:

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”

What makes this vulnerability more notable is its original source: the National Security Agency (NSA) of the United States government. This is the first time that the NSA has disclosed a security vulnerability to a software vendor.

The NSA also went a step further on Tuesday, publishing its own advisory that classifies the vulnerability as “severe” and urges administrators to roll out the January 2020 patch to all Windows 10 and Windows 2016 & 2019 systems as soon as possible.

How Live Query Speeds Up Audits

One of the most difficult and time consuming aspects of vulnerability management is the simple process of identifying machines across your environment that are vulnerable, then auditing those machines over time to track progress throughout the patching process. And with a vulnerability that has gotten as much media attention as this CryptoAPI spoofing vulnerability, it’s almost certain that members of the leadership team within your organization are going to be annoyingly interested in hearing progress updates until you can confidently say that your environment is fully patched and safe from this attack vector.

Depending on the number of Windows devices your team manages, this audit process alone could take multiple days or weeks away from the other priorities on your list. However, by leveraging the Live Query capabilities of Audit and Remediation, our customers have the ability to effortlessly report on the state of all Windows machines under management that need to be patched.

Just how “effortless” is it, you ask?

Thanks to our pre-built catalog of Recommended Queries right in the console, getting a comprehensive audit of all your Windows machines that may be vulnerable is as easy as:

1. Search for “CryptoAPI” from the Recommended Query tab
2. Click “Run” to send the query out to all Windows systems
3. Grab a coffee and wait for results to start rolling in

Within minutes you will see results flowing into your console, letting you know which machines in your environment do not have the required patches to protect against this vulnerability. In order to make this even easier in environments with multiple versions of Windows, our Threat Research team specifically built this query to specify “Patch Not Applicable” in plain English for those versions that are not impacted by this vulnerability. This means your team doesn’t have to spend time indicating which systems they should or should not be queried as part of the audit. All of that work is built right into the report itself.

To make this process even more automated for those organizations with thousands of Windows 10 machines, users also have the option to schedule the query to run on a daily, weekly, or monthly basis to help track progress as your team works through your patch deployment process.

And the results of each scheduled query can be exported or automatically emailed to ensure that all necessary stakeholders have the most up-to-date information as your team makes progress patching these systems.

While Audit and Remediation is not a comprehensive patch management tool, it is an extremely effective solution when it comes to vulnerability assessment, system hardening, compliance audits, and incident response.

Our ultimate goal with this solution is to provide IT and Security teams with easy access to the most precise details of their endpoints and workloads to help teams save time and reduce risk across the entire enterprise, including MacOS, Linux, and Docker environments.

If your team is sick of spending countless hours tracking down answers during high-pressure situations,sign up here to get a live demonstration of Audit and Remediation.

See also:

• New CB LiveOps Release Brings Recommended Queries to Users
• Why DevOps is Becoming More Like DevSecOps
• How Live Query Helps with Vulnerability Assessment

The post Using Live Query to Audit Your Environment for the Windows CryptoAPI Spoofing Vulnerability appeared first on VMware Carbon Black.