The National Security Agency recently uncovered a severe vulnerability in Microsoft’s Windows operating system, and it decided to publicly raise awareness and help the company issue patches instead of using the flaw for the agency’s intelligence operations.
Listed as CVE-2020-0601, the vulnerability occurs because Microsoft Windows CryptoAPI fails to properly validate certificates that use elliptic curve cryptography, which may allow an attacker to spoof the validity of certificate chains.
“The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution,” the NSA’s advisory reads.
Anne Neuberger, the director of the NSA’s Cybersecurity Directorate, said on a call Tuesday that the vulnerability caused great concern inside the Department of Defense because it’s fundamental to the trust of critical systems throughout the DOD and the U.S. government.
“We discovered a critical vulnerability in Microsoft Windows 10 operating system that we immediately shared with the company for action recently,” Neuberger said. “As you know we do a lot of research. We have … people constantly evaluating systems, programs, and software. That’s how we discovered it.”
The Cybersecurity Directorate, which has taken on the responsibility for tipping nation-state threat information to critical system owners since its inauguration last fall, said system owners should move quickly to patch this vulnerability.
“Because of the critical nature of the vulnerability we’re urging immediate patching,” Neuberger said Tuesday.
Bryan Ware, the assistant director for cybersecurity at DHS’s Cybersecurity and Infrastructure Security Agency, said on the call with reporters Tuesday that the Department of Homeland Security will be warning the private sector, as well as state, local, and tribal partners, moving forward that if they cannot immediately patch, they should isolate systems by removing potentially internet-connected devices from the internet.
Later Tuesday, CISA released an “emergency directive” ordering federal civilian agencies to apply the patch within 10 business days.
“CISA has determined that these vulnerabilities pose an unacceptable risk to the federal enterprise and require an immediate and emergency action,” CISA Director Chris Krebs wrote in the order.
The vulnerability may not be as dangerous as Heartbleed, another encryption flaw, Matt Green, an associate professor of computer science at Johns Hopkins, told CyberScoop.
“It sounds pretty bad. Not as bad as Heartbleed, but pretty severe nonetheless,” Green, a cryptographer, said. “Heartbleed broke everything, even beyond crypto. This just makes the crypto broken [and] it’s easier to detect.”
Neither Microsoft nor the NSA has seen any exploitation of the vulnerability, Neuberger said, adding that the NSA doesn’t attribute it to any particular adversary.
“We don’t expect any specific threat actor to be more likely to exploit the vulnerability,” she said.
Jeff Jones, a senior director at Microsoft, told CyberScoop Tuesday the company would not comment on the patch in order to “prevent unnecessary risk to customers, security researchers and vendors” before the update was made available.
Trust the process
Neuberger declined to say when the NSA uncovered the flaw, but did say that officials followed the Vulnerabilities Equities Process (VEP), the mechanism by which the U.S. government determines to either withhold or disclose information to tech companies about newly discovered flaws in their software.
She also declined to say how long the NSA, the White House, and the National Security Council deliberated about the vulnerability’s disclosure, adding that Grant Schneider, the federal chief information security officer, participated in the discussion.
The VEP lays out the core considerations taken into account by the U.S. government when a vulnerability — commonly known as “zero-days” — comes into its possession, weighing “the benefit to national security and the national interest” when deciding whether to secretly retain a vulnerability, for use in spying operations, or disclose it to the manufacturer so the software can be fixed or patched.
The NSA has shared vulnerabilities that it’s discovered with Microsoft before. In 2017, the company released a patch for a computer exploit known as EternalBlue following warnings from the NSA that the exploit had been part of the hacking toolset that would be subsequently leaked by the Shadow Brokers.
Neuberger said this is the first time the NSA has agreed to publicly take credit for discovering a vulnerability.
“When Microsoft asked us if they could attribute the vulnerability to the NSA, for the first time we said yes,” Neuberger said. “We recognize the value of building trust … We have to show the data when we make decisions to show broad vulnerabilities that are broadly exploitable like this.”
In the days leading up to the announcement, the U.S. government began briefing network owners, such as those in the financial sector, to make sure they were kept abreast of the NSA’s findings and the patch’s release.
“We did something a bit differently here and tried a new approach to sharing,” Neuberger said. “One part of that was raising awareness a few days in advance to ensure that critical network owners were aware of the patch.”
Starting Tuesday afternoon, CISA will be working with the NSA to brief local, state, and tribal partners on the flaw over the next few days, Ware said. Krebs will begin pressuring CIOs and other key risk management officials in the federal government in early February if they still have not taken appropriate mitigation action. By mid-February, Krebs will elevate concerns to the White House’s Office of Management and Budget and the Secretary of Homeland Security.
The announcement coincides with the Cybersecurity Directorate’s broader effort, kicked off last year, to share unclassified vulnerability information quickly and in an unclassified way.
Part of the inspiration to publicly share the NSA’s hands in uncovering this particular flaw may have come from conversations Neuberger had with the intelligence community in other countries.
“When I had conversations with my counterparts in a couple of other countries, their conversation was, ‘Of course we accept attribution. We’re doing a service sharing vulnerability information and it’s important that citizens of our country know that,’” Neuberger said.
Greg Otto contributed to this report.