The U.S. National Security Agency (NSA) started a new chapter after discovering and reporting to Microsoft a vulnerability tracked as CVE-2020-0601 and impacting Windows 10 and Windows Server systems.
In a phone conference that Bleeping Computer joined, NSA’s Director of Cybersecurity Anne Neuberger said that this is the first time the agency decided to publicly disclose a security vulnerability to a software vendor.
“We thought hard about that. When Microsoft asked us, ‘Can we attribute this vulnerability to NSA?’ we gave it a great deal of thought. And then we elected to do so and here is why,” Neuberger explained.
She added that “part of building trust is showing the data” and, as a result, “it’s hard for entities to trust that we indeed take this seriously and ensuring that vulnerabilities can be mitigated is an absolute priority.”
Neuberger also said during the media call that the agency will make efforts towards becoming an ally to the cybersecurity community and private sector entities, and will begin to share vulnerability data with its partners instead of accumulating it and using it in future offensive operations.
“Sources say this disclosure from NSA is planned to be the first of many as part of a new initiative at NSA dubbed ‘Turn a New Leaf,’ aimed at making more of the agency’s vulnerability research available to major software vendors and ultimately to the public,” journalist Brian Krebs reported.
NSA redefining itself
“We believe in Coordinated Vulnerability Disclosure (CVD) as proven industry best practice to address security vulnerabilities,” MSRC’s Principal Security Program Manager Mechele Gruhn added.
“Through a partnership between security researchers and vendors, CVD ensures vulnerabilities are addressed prior to being made public.”
NSA’s new approach to building trust with the public and its partners redefines the agency’s cybersecurity mission as US Army General and NSA Director Paul M. Nakasone stated in July 2019.
“The Cybersecurity Directorate will reinvigorate our white hat mission opening the door to partners and customers on a wide variety of cybersecurity efforts,” he added at the time.
“It will also build on our past successes such as Russia Small Group to operationalize our threat intelligence, vulnerability assessments, and cyber defense expertise to defeat our adversaries in cyberspace.”
The NSA-reported vulnerability
The CVE-2020-0601 spoofing vulnerability reported by the NSA affects the Windows CryptoAPI and is caused by the way Elliptic Curve Cryptography (ECC) certificates are validated.
“The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution,” the NSA says.
CVE-2020-0601 hasn’t yet been exploited in the wild according to Microsoft’s security advisory, and the US agency advises users and organizations to install the patches released as part of Microsoft’s January 2020 Patch Tuesday as soon as possible to block attackers from defeating “trusted network connections and deliver executable code while appearing as legitimately trusted entities.”
— NSA/CSS (@NSAGov) January 14, 2020
“This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk,” Gruhn added.
The NSA security advisory also comes with mitigation measures for systems where installing the patches released by Microsoft today is not immediately possible.
“Properly configured and managed TLS inspection proxies independently validate TLS certificates from external entities and will reject invalid or untrusted certificates, protecting endpoints from certificates that attempt to exploit the vulnerabilities,” the agency reveals.
“Ensure that certificate validation is enabled for TLS proxies to limit exposure to this class of vulnerabilities and review logs for signs of exploitation.”
The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners. – NSA