Prioritizing a Patch: How the NSA Pushed Microsoft to Address a Major Flaw

January marked the beginning of a new decade and a chance for many to explore the opportunities of the future alongside past certainties: death, taxes, and Patch Tuesday.

Started by Microsoft in 2003, Patch Tuesday occurs on the second Tuesday (and sometimes the fourth Tuesday) of the month. It is when the company releases software patches for vulnerabilities in its products, including Windows.

As the first Patch Tuesday of the decade approached on 14 January 2020, rumors floated around that it might be more important than normal.

“I get the impression that people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner,” tweeted Will Dormann, vulnerability analyst at the U.S. Computer Emergency Readiness Team (CERT), on 13 January. “Even more so than others. I don’t know… just call it a hunch?”

Dormann’s hunch was correct. The next day, Microsoft released a patch for a vulnerability—CVE-2020-0601, also known as the CryptoAPI Spoofing Vulnerability—that impacted Windows 10, Windows Server 2016, and Windows Server 2019 platforms. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) mandated all government agencies to implement the patch within 10 days. And the U.S. National Security Agency (NSA) Cybersecurity Directorate Technical Director Neal Ziring issued a statement urging “everyone to take action” on the patch.

“This kind of vulnerability may shake our belief in the strength of cryptographic authentication mechanisms and make us question if we can really rely on them,” Ziring wrote.

Later, the NSA would confirm that it had discovered the vulnerability and used the federal government’s Vulnerabilities Equities Policy and Process (VEP) in response. The process outlines the procedure the U.S. government uses when it discovers a vulnerability that should be disclosed to vendors to fix it and prevent public harm.

“In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest,” according to the VEP. “However, there are legitimate advantages and disadvantages to disclosing vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time or adopting a mitigation strategy short of full disclosure can have significant consequences.”

It is not clear when the NSA became aware of CVE-2020-0601 or how long the VEP took before the agency decided to disclose it. However, Ziring said the NSA ultimately alerted Microsoft so it could prepare a patch for distribution.

“This vulnerability is classed as important, and we have not seen it used in active attacks,” wrote Mechele Gruhn, Microsoft Security Response Center principal security program manager, in a blog post. “This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk.”

The vulnerability impacts Microsoft Windows’ cryptographic functionality by affecting its ability to validate certificates.

“CVE-2020-0601 is a serious vulnerability, because it can be exploited to undermine Public Key Infrastructure (PKI) trust,” Ziring explained. “PKI is a set of mechanisms that home users, businesses, and governments rely upon in a wide variety of ways. The vulnerability permits an attacker to craft PKI certificates to spoof trusted identities, such as individuals, websites, software companies, service providers, or others. Using a forged certificate, the attacker can (under certain conditions) gain the trust of users or services on vulnerable systems and leverage that trust to compromise them.”

The vulnerability could be exploited to impact HTTPS connections (connections to websites previously thought to be secure), signed files and emails, and signed executable code. For instance, an attacker could use the vulnerability to make malware appear to be a legitimate program that was produced by a software company a user trusted.

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the agency explained in an advisory. “The consequences of not patching the vulnerability are severe and widespread.”

Because the CVE-2020-0601 vulnerability could be exploited to undermine the trust mechanisms that the Internet operates under, Ziring said it needed to be addressed.

The same morning as the NSA’s announcement, CISA released an emergency directive ordering all U.S. federal government executive branch departments and agencies—except for the U.S. Department of Defense, the CIA, and the Office of the Director of National Intelligence—to mitigate CVE-2020-0601 by patching their systems.

“CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action,” wrote CISA Director Chris Krebs. “This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information.”

The directive instructed the agencies and departments to patch all affected endpoints on their information systems within 10 business days, and to guarantee that technical or management controls were in place to ensure that newly provisioned or previously disconnected endpoints are patched before connecting to agency networks.

Agencies were also required to report out to CISA—within three business days and again within 10 days—that they had completed the requirements. CISA advised removing any endpoints that could not be patched within 10 days.

The NSA’s decision to notify Microsoft shows how the agency has responded to industry criticism to share more information with the private sector to take action to mitigate threats.

The NSA was previously criticized for developing EternalBlue, a tool that exploited a Windows bug for more than five years without notifying Microsoft. The tool took advantage of a vulnerability in all versions of Windows that were on the market at the time.

A hacking group known as the Shadow Brokers obtained EternalBlue and later leaked it online. By the time it was made public in August 2017, Microsoft had released a patch to address EternalBlue, but many system owners and operators had not implemented it yet—making them vulnerable.

Since then, the U.S. federal government declassified its VEP to increase transparency into its decision-making process on when it will inform the private sector of vulnerabilities. The NSA also created the Cybersecurity Directorate in July 2019—operational in October 2019—to unify the agency’s foreign intelligence and cyber defense missions.

“The Cybersecurity Directorate will reinvigorate NSA’s white hat mission by sharing critical threat information and collaborating with partners and customers to better equip them to defend against malicious cyber activity,” the NSA said in a press release. “The new directorate will also better position NSA to operationalize its threat intelligence, vulnerability assessments, and cyber­defense expertise by integrating these efforts to deliver prioritized outcomes.”

The move has been welcomed by the private sector, which had said the U.S. government was not sharing enough timely data to keep it abreast of cyber threats.

“We believe in coordinated vulnerability disclosure (CVD) as a proven industry best practice to address security vulnerabilities,” Gruhn said. “Through a partnership between security researchers and vendors, CVD ensures vulnerabilities are addressed prior to being made public. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.”