Microsoft kicked off its first Patch Tuesday of this decade on January 14th by revealing a critical flaw in the Windows cryptographic library which allows a malicious attacker to deliver malicious code to an unsuspecting user and pass it off as if it’s coming from a trusted entity.

The vulnerability (CVE-2020-0601) exists in the core cryptographic module in Microsoft Windows which is responsible for implementing certificate and cryptographic messaging functions in Microsoft’s CryptoAPI.

An attacker can exploit this vulnerability to deliver malicious code that appears to be from a trusted entity. For example, an attacker could pass malicious applications off as legitimate applications and quickly compromise Windows hosts within the organization. According to Microsoft, this vulnerability impacts Windows versions 10, Windows Server 2016 and 2019.

The vulnerability has not been exploited in the wild yet but has been labeled as ‘Exploitation More Likely’ since a patch is now available from Microsoft. Typically when a patch is made available attackers quickly reverse engineer the patch and identify a path to exploit the vulnerability. Therefore users should pay attention, and patch the vulnerability right away.

How can SaltStack help?

Identify vulnerable systems

The first step towards patching any vulnerability is to identify all vulnerable systems. Users can use Salt’s powerful minion targeting mechanism to enumerate a list of systems that are potentially vulnerable. 

In the case of the above vulnerability, since according to Microsoft only Windows 10, Windows Server 2016, and Windows Server 2019 systems are impacted we could run a quick command to list vulnerable systems. 

Here’s a quick Salt command to enumerate a list of vulnerable systems:

[root@localhost]# salt -C ‘G@osfinger:Windows-2016Server or G@osfinger:Windows-2019Server or G@osfinger:Windows-10’ grains.item osversion and grains.item osrelease and grains.item ipv4