CVE-2020-0601: Windows Stemcells vulnerable to Windows CryptoAPI Spoofing Vulnerability
Severity
High
Vendor
Microsoft Corporation
Versions Affected
- Windows Server 2019 (Server Core installation)
Description
Pivotal Stemcells (Windows) 2019.x versions prior to 2019.15, and Pivotal Application Service for Windows 2.5.x versions prior to 2.5.15, 2.6.x versions prior to 2.6.12, 2.7.x versions prior to 2.7.8, and 2.8.x versions prior to 2.8.3 are vulnerable to a spoofing vulnerability that exists in the way the Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
-
Pivotal Application Service (PAS) for Windows
- 2.5 versions prior to 2.5.15
- 2.6 versions prior to 2.6.12
- 2.7 versions prior to 2.7.8
- 2.8 versions prior to 2.8.3
-
Pivotal Stemcells (Windows)
- 2019 versions prior to 2019.15
Mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
-
Pivotal Application Service (PAS) for Windows
- 2.5.15
- 2.6.12
- 2.7.8
- 2.8.3
-
Pivotal Stemcells (Windows)
- 2019.15
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
History
2020-01-19: Initial vulnerability report published.