cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

CVE-2020-0601 - CryptoAPI Spoofing and Zero Day - CVE-2020-0674

Jump to solution

CVE-2020-0601 - CryptoAPI Spoofing and Zero Day - CVE-2020-0674

In regards to CVE-2020-0601 – CryptoAPI, we are deploying the MS Patch, but I want to get an assessment if the associated DAT file that was released would in itself provide adequate and reliable coverage?  Since we have GTI enabled and set to “Medium” we  see no need to deploy the Extra.Dat file based on the Release Notes

Would that be a correct assumption?

Also, regarding the current Zero Day issue - CVE-2020-0674 - Are there any other updates or will the following provide adequate coverage? I am asking because  McAfee released an update for Exploit Prevention on 1/19/20. According to the Release Notes, it is  “expected” to address this issue. Exploit Prevention version 9845 was added automatically to EPO and deployment occurred shortly thereafter.

The following rules are in place and set to block and report.

428 - Generic Buffer Overflow

1146 - Internet Explorer Buffer Overflow

6012 - Suspicion Function Invocation (Return to API)

6013 - Suspicion Function Invocation (Call Not Found)

6014 - Suspicion Function Invocation (Return Address)

6048  - Suspicion Function Invocation (Different Stack)

 

Thank you.

1 Solution

Accepted Solutions
AdithyanT McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: CVE-2020-0601 - CryptoAPI Spoofing and Zero Day - CVE-2020-0674

Jump to solution

Hi @Glenn_Bolton,

Very glad to hear from you! This is to keep you updated as per KBA: KB92322 the EXTRA DAT is no more required if your DAT/AMCore is updated.

  • V3: 3961.0 (ENS)

CVE-2020-0674 - This is covered by Exploit Prevention however, we are carefully using "expected" as this is based on internal research on identified threat actors and techniques used during internal research. I  short your security posture against these Vulnerabilities should loo good as long as you are updated with latest AMCore and Exploit Prevention content updates.

Also, for the CVE-2020-0674, please look out for MS to release an update addressing the same as Patches are always the best way to fight against Vulnerabilities.

🔗 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001

I sincerely hope this helps!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

4 Replies
YashT McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: CVE-2020-0601 - CryptoAPI Spoofing and Zero Day - CVE-2020-0674

Jump to solution

Hello @Glenn_Bolton ,

Your Assumption is correct on 0601 but as an additional layer of security I would recommend you to deploy the extra dat to your environment, its not harm but will secure your environment for sure.

Its simple, download dat from KB92322 > extract the file > checkin in your master repository > and with client task apply to all your systems.

& regarding 0674 yes you are correct you just have to make sure you have Content package version for –
McAfee Host Intrusion Prevention: 8.0.0.9845
McAfee Endpoint Security Exploit Prevention: 10.6.0.9845
Note: McAfee V3 Virus Definition Updates (DATs) version 3786 or above is a mandatory
prerequisite for this Exploit prevention content update on McAfee Endpoint Security versions
10.5.x and 10.6.x

If this is updated in you EPO & your client systems you are secured 🙂

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Yash T
cheetah
Level 10
Report Inappropriate Content
Message 3 of 5

Re: CVE-2020-0601 - CryptoAPI Spoofing and Zero Day - CVE-2020-0674

Jump to solution

Is it possible to protect against the CVE-2020-0674 gap with VSE?

AdithyanT McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: CVE-2020-0601 - CryptoAPI Spoofing and Zero Day - CVE-2020-0674

Jump to solution

Hi @cheetah,

Good Question! unlike ENS, VSE does not have exploit Prevention in built. Owing to this we either need to have HIPS installed to obtain coverage explained above for CVE-2020-0674 (Release notes here) or we need to wait for DAT content to be released with known actors. This can be verified against IOCs or hashes of known Threat actors that uses or exploits this vulnerability.

if neither of these are available with you, I would strongly recommend going by work around suggested by Microsoft: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001

I sincerely hope this helps your query here!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
AdithyanT McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: CVE-2020-0601 - CryptoAPI Spoofing and Zero Day - CVE-2020-0674

Jump to solution

Hi @Glenn_Bolton,

Very glad to hear from you! This is to keep you updated as per KBA: KB92322 the EXTRA DAT is no more required if your DAT/AMCore is updated.

  • V3: 3961.0 (ENS)

CVE-2020-0674 - This is covered by Exploit Prevention however, we are carefully using "expected" as this is based on internal research on identified threat actors and techniques used during internal research. I  short your security posture against these Vulnerabilities should loo good as long as you are updated with latest AMCore and Exploit Prevention content updates.

Also, for the CVE-2020-0674, please look out for MS to release an update addressing the same as Patches are always the best way to fight against Vulnerabilities.

🔗 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001

I sincerely hope this helps!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community