Cyber Awareness & Risk Management

Recommendation for immediate patching for critical vulnerabilities on Microsoft Windows Operating System

Editor’s note: For the convenience of our readers, the Office of Port and Facility Compliance is sharing information recently released through the Cybersecurity and Infrastructure Security Agency (CISA) regarding fixes for a critical vulnerability identified in Microsoft’s handling of certificates. More information can be found in the recent Cybersecurity and Infrastructure Security Agency (CISA) Alert.

The National Security Agency identified a critical vulnerability, CVE-2020-0601, in Microsoft’s handling of certificates. Microsoft released software fixes Jan. 14, 2020 to address 49 vulnerabilities as part of their monthly “Patch Tuesday” announcement. Due to the severity of some of the vulnerabilities, the Coast Guard strongly recommends organizations/individuals in the maritime community install these critical patches in the most expeditious manner possible.

CVE-2020-0601 affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016, and could permit an attacker to craft PKI/digital certificates to spoof trusted identifies such as individuals, web sites, software companies, service providers, or others. Using a forged certificate, the attacker could can gain access to vulnerable systems by sending a malicious executable file. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

Other vulnerabilities specifically mentioned (CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611) affect Windows Server 2012 and newer. In addition, CVE-2020-0611 affects Windows 7 and newer.  The server vulnerabilities can be exploited by initiating a remote connection and sending a specially crafted request. These vulnerabilities are critical because they do not require any authentication or user interaction to allow the attacker assess to the server. The client vulnerability can be exploited by convincing a user to connect to a malicious server/website.  Once the attacker has gained the remote connection, they can use it to deploy ransomware, install backdoors, or move through the environment.

Organizations should prioritize patching by starting with mission-critical systems, internet-facing systems, and networked servers. Organizations should then prioritize patching other affected information technology/operational technology (IT/OT) assets. Individuals should ensure that all home devices are updated.

Individuals should review their personally owned machines and can check for available computer updates at the following menu location on their machine: “Start > Microsoft System Center > Software Center > Updates menu.”

More information can be found in the recent Cybersecurity and Infrastructure Security Agency (CISA) Alert.

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.