//Week in review - 17 Jan 2020

AusCERT Week in Review for 17th January 2020


Is everyone still reeling from Microsoft Patch Tuesday? The Windows CryptoAPI vulnerability has security professionals across the world scrambling as news spread across the internet. Spoofing certificates has never been easier!

In other news, go check for mitigations for your Citrix Gateways and ADCs. Citrix advises that certain releases of Citrix ADC are still vulnerable even after application of mitigation steps. To make things even spicier, the remote code execution vulnerability is being actively exploited in the wild, and with Shodan showing over 125,400 Citrix ADC or Gateway servers publicly accessible… Yikes!

CVE-2020-0601 – An Exploit has been made public.
Date: 2020-01-16
Author: SANS Internet Storm Center

There is no catchy name or logo for this vulnerability. It is referred to as “CVE-2020-0601”, “CryptoAPI ECC Verification Vulnerability,” or “crypt32.dll Vulnerability” and several other names. It is probably best to use the CVE number as an identifier.
Only Windows 10 and Windows Server 2016 and 2019 are affected. Windows 7 is not affected.
We also made a simple PowerPoint presentation available to help you brief management on the issue.

PoC Exploits Released for Citrix ADC and Gateway RCE Vulnerability
Date: 2020-01-11
Author: The Hacker News

It’s now or never to prevent your enterprise servers running vulnerable versions of Citrix application delivery, load balancing, and Gateway solutions from getting hacked by remote attackers.
Why the urgency? Earlier today, multiple groups publicly released weaponized proof-of-concept exploit code for a recently disclosed remote code execution vulnerability in Citrix’s NetScaler ADC and Gateway products that could allow anyone to leverage them to take full control over potential enterprise targets.
Just before the last Christmas and year-end holidays, Citrix announced that its Citrix Application Delivery Controller (ADC) and Citrix Gateway are vulnerable to a critical path traversal flaw (CVE-2019-19781) that could allow an unauthenticated attacker to perform arbitrary code execution on vulnerable servers.

Microsoft fixes Windows crypto bug reported by the NSA
Date: 2020-01-14
Author: ZDNet

Microsoft has released a security update today to fix “a broad cryptographic vulnerability” impacting the Windows operating system.
“Given the information at our disposal right now, customers should absolutely make sure they apply this patch quickly. This is true for all “critical patches” but is doubly true at this time,” Yonatan Striem-Amit, CTO and Cofounder of Cybereason told ZDNet earlier today.
The vulnerability, tracked as CVE-2020-0601, impacts the Windows CryptoAPI, a core component of the Windows operating system that handles cryptographic operations.
“A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software,” Microsoft also said.
According to Microsoft, this vulnerability impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions.

Some noteworthy bulletins this week are as follows:

Vulnerability in Citrix Application Delivery Controller and Citrix Gateway

Certain releases of Citrix ADC are still vulnerable to exploits.

Security update for Microsoft Windows

Microsoft’s Patch Tuesday included code-signing spoof vulnerability.

Stay safe, stay patched and have a good weekend!