Minimizing Your Exposure to Windows CVE-2020-0601
Duo has a strong technical partnership with Microsoft and we work closely to provide security solutions to solve challenges that our customers may be facing. As you may be aware, there was recently a critical vulnerability disclosed by Microsoft which affects cryptographic functions.
Zero-Trust for Zero-Days
Zero-day vulnerabilities have long unnerved defenders. After all, we suddenly have a hole in our security, a gap in our defenses, and a new path attackers may already be taking. Exploitable software without a patch can be a challenge to quickly mitigate, even after security patches are finally released. Much like “assume breach” has influenced incident response strategies, assuming zero-days exist in the environment should be the starting point for defense strategies. Wait for patches, but in the meantime, rely upon compensating controls, and a bit of luck.
Zero-trust approach to compartmentalizing access offers an advantage in dealing with unexpected security holes. By defining the perimeter as any place we make an access decision, we can stack controls to allow or block access based on the trustworthiness of the user, application, or device. Something goes wrong, we can contain the potential attacker from going any further. And when remediation comes available, we can keep unpatched devices off applications and prompt for updates.
Duo’s approach to providing zero-trust for the workforce illustrates this approach in action.
Now Microsoft has released a patch for CVE-2020-0601 and so it is not a zero-day vulnerability. The critical vulnerability affects cryptographic functions in Windows, including code signing and HTTPS. Certificates are one of the fundamental ways we assert trust, so the spoofing which this vulnerability enables is especially concerning. One potential use is phishing users into providing credentials. Street smarts would tell you to use HTTPS and check the TLS certificate before authenticating. But with CVE-2020-0601, an attacker can spoof the certificate to appear the browser is actually on MyBank.com over a secure connection. Or consider environments where applications are whitelisted by source. An attacker can use CVE-2020-0601 to make malicious executables appear legitimate by spoofing the code signing. Given the importance of cryptography for so many security decisions, it is imperative that the vulnerability be patched.
Microsoft’s released this week fixes the code in Windows 10, Windows Server 2016, Windows Server 2019. The as-of-now unsupported Windows 7 is not affected. In addition to preventing the cryptographic spoofing, the patch went a step further in improving detection. Attempt to use forged certificates on a patched system and Windows will log it to the event logs. So patch, and consider adding a SIEM rule to trigger investigations should this pop up in event logs.
How Duo Helps
Duo as multi-factor authentication offers a strong protection should website spoofing, email spoofing, or code signing should trick someone into handing over their username and password. MFA devalues credentials by ensuring the stolen credentials cannot be reused alone. This protection provides user trust after the fact, after the vulnerability has been exploited.
Another method is to restrict vulnerable devices from accessing the organization’s resources. Maintaining trust in the devices used to access your applications is equally important as verifying your users. You can check out some of the additional tools we provide with our Device Health, Trusted Endpoints, Endpoint Remediation, and Unified Endpoint Visibility. Duo provides a solution in which, you can you quickly can apply both global and application-specific access policies that prompt users update their machines before they can access protected applications. Duo’s Device Health can provide additional visibility into the patch version of OS so you can become very granular in setting access policies to only block devices which have not yet been patched.
It is a simple policy configuration detailed below. With a few simple clicks this can be applied to corporate-managed machines and any personal systems that access your sensitive resources.
Step 1: Edit Global Policy
Step 2: Ensure Users Have Duo’s Device Health Application Enabled
Step 3: Set Windows Operating System Policy To Block Users If Not On The Latest Version
Step 4: Monitor Windows Devices As They Are Brought Into Compliance With Policy
If you are existing Duo customer you can check out the related docs page here on setting the policy: https://duo.com/docs/device-health#operating-system-granular-policy.
And to learn more about getting visibility to the endpoints in the endpoints view you can access information here: https://duo.com/docs/device-health#endpoints-list-and-details.
If you are new to Duo you can start a trial today to level-up your security giving you peace of mind.
Learn more about protecting your MIcrosoft applications with our new ebook, An Essential Guide to Zero Trust for Microsoft Applications.