Remediate Critical Vulnerability in Windows CryptoAPI CVE-2020-0601 with SaltStack
Microsoft kicked off its first Patch Tuesday of 2020, on January 14th by revealing a critical flaw in the Windows cryptographic library which allows a malicious attacker to deliver malicious code to an unsuspecting user and pass it off as if it’s coming from a trusted entity.
Vulnerability CVE-2020-0601 exists in the core cryptographic module in Microsoft Windows which is responsible for implementing certificate and cryptographic messaging functions in Microsoft’s CryptoAPI.
An attacker can exploit this vulnerability to deliver malicious code that appears to be from a trusted entity. For example, an attacker could pass malicious applications off as legitimate applications and quickly compromise Windows hosts within the organization. According to Microsoft, this vulnerability impacts Windows versions 10, Windows Server 2016 and 2019.
The vulnerability has not been exploited in the wild yet but has been labeled as ‘Exploitation More Likely’ since a patch is now available from Microsoft. Typically when a patch is made available attackers quickly reverse engineer the patch and identify a path to exploit the vulnerability. Therefore users should pay attention, and patch the vulnerability right away.
CVE-2020-0601: How can SaltStack Help?
Identify Vulnerable Systems
The first step towards patching any vulnerability is to identify all vulnerable systems. Users can use the powerful SaltStack minion targeting mechanism to enumerate a list of systems that are potentially vulnerable.
In the case of the above vulnerability, since according to Microsoft only Windows 10, Windows Server 2016, and Windows Server 2019 systems are impacted we could run a quick command to list vulnerable systems.
Here’s a quick Salt command to enumerate a list of vulnerable systems.
[root@localhost]# salt -C 'G@osfinger:Windows-2016Server or G@osfinger:Windows-2019Server or G@osfinger:Windows-10' grains.item osversion and grains.item osrelease and grains.item ipv4
Which returns the following output :
W2016: ---------- and: grains.item: ipv4: - 18.104.22.168 osrelease: 2016Server osversion: 10.0.14393 W2019: ---------- and: grains.item: ipv4: - 22.214.171.124 osrelease: 2019Server osversion: 10.0.17763
Great. Now we have a list of IP addresses and OS versions that are potentially vulnerable.
Download Appropriate KBs
Once you have a good understanding of the systems that are vulnerable, the next step is to download appropriate KB’s from Microsoft on the Salt Master under /srv/salt or the repo of your choice.
Verify if a patch is applied
Next, verify if appropriate patches are applied to the systems enumerated earlier. For example, in the above case, we know from the Microsoft KB, KB4534273 needs to be applied to certain versions of Windows Server 2019.
We can run the following command to verify whether that KB is installed.
[root@ip-10-27-66-210 centos]# salt -P 'osfinger:(Windows-2019Server)' wusa.is_installed KB4534273
Which returns :
Great. Now we know, a patch is not yet applied on the system. Let’s go ahead and apply the patch.
There are multiple ways to accomplish this, for e.g, you could host the downloaded packages to an external repo or you could host the patch files on the Salt master itself. In this example, we will download the patch file on the master, and create a state file to apply the patch.
Here are the contents of the file :
KB4534273: wusa.installed: - source: salt://windows10.0-kb4534273-x64_74bf76bc5a941bbbd0052caf5c3f956867e1de38.msu reboot_windows: system.reboot: - timeout: 5 - only_on_pending_reboot: True
In case you are wondering, the file windows10.0-kb4534273-x64_74bf76bc5a941bbbd0052caf5c3f956867e1de38.msu was downloaded from Microsoft security advisory page here. If a reboot is required, the state file also reboots the system.
Let’s save this file to /srv/salt on the Salt Master and apply the patch.
Apply the Patch
Let’s check one last time with test=true mode before applying the patch.
Here’s the command :
[root@salt-master]# salt -P 'osfinger:(Windows-2019Server)' state.apply Win2019_4534273 test=true
Which returns the following output:
W2019: ---------- ID: KB4534273 Function: wusa.installed Result: None Comment: KB4534273 would be installed Started: 15:22:13.742830 Duration: 1328.147 ms Changes: Summary for W2019 ------------ Succeeded: 1 (unchanged=1) Failed: 0 ------------ Total states run: 1 Total run time: 1.328 s
Ok great, we now have confirmation, the patch is not applied. Let’s go ahead and apply the patch, by dropping the test=true mode.
Here’s the command:
[root@salt-master]# salt -P 'osfinger:(Windows-2019Server)' state.apply Win2019_4534273
Note: since this patch requires a reboot the Salt return may report an exception, you can safely ignore that report.
You can review whether the patch is applied using the following command:
[root@salt-master]# salt -P 'osfinger:(Windows-2019Server)' state.apply Win2019_4534273 test=true W2019: ---------- ID: KB4534273 Function: wusa.installed Result: True Comment: KB4534273 already installed Started: 15:33:20.523734 Duration: 1781.276 ms Changes: Summary for W2019 ------------ Succeeded: 1 Failed: 0 ------------ Total states run: 1 Total run time: 1.781 s
Great. We now have confirmation the patch is applied, and we are now free to repeat the same process for other systems and their respective KBs.
By all accounts, this is a very critical vulnerability, and there is a good chance public exploits will become available over the next weeks or months. So don’t delay and patch your systems right away. In this blog, we demonstrated how you can use Salt to quickly discover vulnerable assets, and patch them in minutes. If you have questions, please don’t hesitate to reach out to us, and we would be happy to help.
And learn more about SaltStack SecOps solutions for automating the work of security operations here.