All Vulnerability Reports

CVE-2020-0601: Windows Stemcells vulnerable to Windows CryptoAPI Spoofing Vulnerability

Severity

High

Vendor

Microsoft Corporation

Versions Affected

• Windows Server 2019 (Server Core installation)

Description

Pivotal Stemcells (Windows) 2019.x versions prior to 2019.15, and Pivotal Application Service for Windows 2.5.x versions prior to 2.5.15, 2.6.x versions prior to 2.6.12, 2.7.x versions prior to 2.7.8, and 2.8.x versions prior to 2.8.3 are vulnerable to a spoofing vulnerability that exists in the way the Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

• Pivotal Application Service (PAS) for Windows
  • 2.5 versions prior to 2.5.15
  • 2.6 versions prior to 2.6.12
  • 2.7 versions prior to 2.7.8
  • 2.8 versions prior to 2.8.3

• Pivotal Stemcells (Windows)
  • 2019 versions prior to 2019.15

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

• Pivotal Application Service (PAS) for Windows
  • 2.5.15
  • 2.6.12
  • 2.7.8
  • 2.8.3

• Pivotal Stemcells (Windows)
  • 2019.15

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

History

2020-01-19: Initial vulnerability report published.