Microsoft recently issued a patch to address a new critical vulnerability that, if exploited, could enable an attacker to trick users into downloading a malicious executable or conduct a man-in-the-middle (MitM) attack. The vulnerability, called Curveball (CVE-2020-0601), was initially disclosed by NSA. It affects all devices running Windows 10, Windows Server 2016, and Windows Server 2019.

What is Curveball?
Curveball was given its name because of the Elliptic Curve Cryptography (ECC) certificates that it impacts. It is a spoofing vulnerability that “exists in the way Windows CryptoAPI (Crypt32.dll) validates ECC certificates.” It allows an attacker to bypass the Windows’ verification of cryptographic trust, so they can use a spoofed code-signing certificate to appear legitimate. Ultimately, there is no way a user would know the file doesn’t come from a trusted, legitimate source.

The severity of the vulnerability
An attacker could exploit this vulnerability to sign a malicious executable, so it appears legitimate. If a user opens or downloads the file, an attacker could do almost anything – remote code execution (RCE), lateral movement, further attack propagation. Attackers can also exploit this vulnerability to conduct man-in-the-middle (MitM) attacks and decrypt confidential information on user connections to software that has been affected.

All the hype
Curveball made waves due to its severity and the fact that it was the first time a Windows bug was reported publicly by NSA. In addition, it was significant because the Cybersecurity and Infrastructure Security Agency (CISA) released, for only the second time ever, an Emergency Directive about the vulnerability. Although the vulnerability is not known to have been exploited in the “real-world” yet, proof-of-concept implementations have already started to emerge.

What can healthcare organizations do to protect their clinical networks?
First and foremost, the most effective way to protect your network is to make sure all your vulnerable Windows systems are patched and updated ASAP. This requires:

  1. Identifying all potentially affected devices – Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server, version 1803, 1903, and 1909.
    • This takes visibility into the operating system (OS) and embedded software for each and every device in your environment to ensure nothing is missed.
  2. Understanding the criticality affected devices – are they involved in the delivery of patient care? Which clinical workflows are they a part of? Once you understand the clinical relevance of affected devices you can:
    • Determine which systems can be automatically patched, without adversely impacting patient care, to immediately address the vulnerability. You can use a patch management platform, if you have it, for these devices.
    • Prioritize the patching of devices that can’t be patched automatically. Identify which are mission critical systems, high value assets (HVAs) and servers, and Internet-accessible devices that, if compromised, could put hospital operations, sensitive data (electronic medical records, personally identifiable information), or patient care at risk.
      • Put a plan in place to patch these first. It might require reaching out to medical device manufacturers to identify available patches and implementation methods.
      • It might take some time until patches for medical devices become available or can be implemented. In the meantime, don’t leave those devices exposed. Consider segmenting affected devices into their own VLANs and restricting external access to only trusted networks to help contain exploits and prevent attack propagation.

For questions or help addressing this vulnerability in your network, please contact your Medigate rep or email