CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability
Severity
High
Vendor
Microsoft Corporation
Description
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka ‘Windows CryptoAPI Spoofing Vulnerability’.
Affected Cloud Foundry Products and Versions
- Windows Stemcells
- All versions prior to 2019.15
- Windows1803fs Release
- All versions of Windows1803fs Release prior to v3.3.0
- Windows2019fs Release
- All versions of Windows2019fs Release prior to v2.4.0
- CF Deployment
- All versions of CF Deployment prior to v12.27.0
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- Windows Stemcells
- Upgrade all Windows Stemcells versions to 2019.15 or greater
- Windows1803fs Release
- Upgrade all Windows1803fs Release versions to v3.3.0 or greater
- Windows2019fs Release
- Upgrade all Windows2019fs Release versions to v2.4.0 or greater
- CF Deployment
- Upgrade all CF Deployment versions to v12.27.0 or greater
History
2020-01-22: Initial vulnerability report published.
