The NSA has found a significant vulnerability in Windows known as CVE-2020-0601. This vulnerability is particularly nasty and impacts the Windows CryptoAPI. It provides bad actors multiple avenues to access your data or even gain control of your environment.
Here are just a few things this vulnerability exposes:
Spoof a code-signing cert and sign malicious code
Conduct a man-in-the-middle-attack
Allow confidential information to be de-crypted
This is a quick overview. The NSA has a much deeper breakdown of all that is exposed with this vulnerability. Looking at the list above should make you a little concerned, but how about a little more food for thought. The NSA!!!! An agency that sits on found exploits so they can use them in their own offensive tools decided this is bad enough to let us know about it.
There is some good news, however. A patch is already available. If your environment had Windows 10, Windows Server 16, or Windows Server 19, you might want to up your schedule for applying patches this time around.
Using PDQ Deploy and PDQ Inventory will let you push patching right away and let you see the results in real-time. Within minutes you will be able to start patching your systems and create a report that will let you see which systems are still needing it.
First, open PDQ Inventory and run a scan so it has all of the latest data. If you go to some of our prebuilt collections, you will see which Windows are out of date. As you can see we have two that are up to date, 39 that need to be updated (cut us some slack, updates just came out yesterday).
Now that we know what we need to update, let’s dive into the how!
Open PDQ Deploy and download the Windows update package. Click “Deploy Once” and we can point it to the collection we just used in PDQ Inventory, to make sure we get every computer up to date.
Hit “Deploy Now” and with one easy click, your systems are getting patched! Well, that was fun, and the time savings are crazy! I can hear the voice of millions of sysadmins groaning at the need to do this manually. Not to worry, we have you covered. Let’s set these up so PDQ Deploy can do the dirty work for you.
Double click on the package to view the options to set a delay on the Auto Download time. We have ours set to one day so that the day after the latest patch is released, we will be ready to send it out to our computers.
Now, the package will always be up-to-date for us, but we would still have to deploy it every time! That is like five to six mouse clicks per update. This is completely unreasonable and we won’t stand for it! Let’s set up a schedule so our systems will update everything without us needing to lift a finger. Open all schedules and click on the “New Schedule” button. Point the schedule to the same collection as before.Then, set up how often we want it to deploy and make sure that we leave the box checked that says “Stop Deploying to targets once they succeed.”
That is all there is to it. Now, you can kick back and do far more important things like play Frogger, take a nap, or even other work-related stuff. Whatever that is. I use all of my recovered time to write my spy thriller. It’s about a sysadmin who solves cold cases with his superhuman PowerShell skills. Trust me it’s a nail biter. Whatever it is you do, you can now do a lot more of it. You’re welcome.
Here is a link to a video with Lex showing how to fix this issue Windows 10 Crypto Bug (CVE-2020-0601).
Stay patched my friends.