CVE-2020-0601: Windows Stemcells vulnerable to Windows CryptoAPI Spoofing Vulnerability
High
Microsoft Corporation
- Windows Server 2019 (Server Core installation)
Pivotal Stemcells (Windows) 2019.x versions prior to 2019.15, and Pivotal Application Service for Windows 2.5.x versions prior to 2.5.15, 2.6.x versions prior to 2.6.12, 2.7.x versions prior to 2.7.8, and 2.8.x versions prior to 2.8.3 are vulnerable to a spoofing vulnerability that exists in the way the Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
Severity is high unless otherwise noted.
-
Pivotal Application Service (PAS) for Windows
- 2.5 versions prior to 2.5.15
- 2.6 versions prior to 2.6.12
- 2.7 versions prior to 2.7.8
- 2.8 versions prior to 2.8.3
-
Pivotal Stemcells (Windows)
- 2019 versions prior to 2019.15
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
-
Pivotal Application Service (PAS) for Windows
- 2.5.15
- 2.6.12
- 2.7.8
- 2.8.3
-
Pivotal Stemcells (Windows)
- 2019.15
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
2020-01-19: Initial vulnerability report published.