[German]Are there issues caused by updates from the last patchday (January 2020), when the file Crypt32.dll was patched. A reader sent me a question about this topic. He is using McAfee and SCCM in an enterprise environment. Currently McAfee seems to block the SCCM agent smsexec.exe from accessing an RSA key.
Background: The NSA vulnerability CVE-2020-0601
On the January 2020 patchday, the vulnerability CVE-2020-0601 discovered by the NSA and reported to Microsoft became public. As a reminder, there is a spoofing vulnerability CVE-2020-0601 in the Crypt32.dll library (CryptoAPI) that could be exploited by attackers. An attacker could use a spoofed code-signing certificate to sign a malicious executable file.
A successful exploit could also allow the attacker to perform man-in-the-middle attacks and decrypt confidential information about user connections to the affected software. I had reported on this issue in the blog post Windows: Is a critical cryptography patch coming today? as well as in the article Windows: PoC for CryptoAPI Bug CVE-2020-0601 are out. Microsoft also published this blog post on Jan 14, 2020.
Microsoft states that Windows 10, Windows Server 2016 and 2019 are affected and has provided cumulative updates to close the vulnerability (see CVE-2020-0601 and my blog post Patchday Windows 10-Updates (December 10, 2019)).
A reader reported an issue
Today I received a mail from German blog reader Patrik D. asking if I know about issues with the patched Crypt32.dl. I will post his information here in the blog – maybe someone else is affected and can confirm this. Patrick wrote
After the patchday this morning, I noticed the following [event log entries] in interaction with SCCM and McAfee.
Event ID McAfee Endpoint Security from EventID=18060
NT AUTHORITY\SYSTEM ran smsexec.exe, which tried to access C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
b173a4ca6eeb3a8529b5390fef6b81be_abb57870-155d-4625-9eb2-c73c0e888e7d, violating the rule “Malware Behavior : Windows EFS abuse”, and was blocked. For information about how to respond to this event, see KB85494. was raised.
If I look at the file, it is a Self Signed “SMS User Service” certificate. Since the Crypt32.dll has just been patched, this could be the reason. The cert itself is still valid.
Furthermore the same happens with another software. Have you already had any user notification? Anyway, we will escalate it to Premier-Support & McAfee.
I myself have not heard anything like that and the web does not know anything like that yet. But it looks like the agent smsexec.exe (SCCM Microsoft SMS Agent Host service) is prevented by McAfee from accessing a certificate. Anyone who uses the constellation of SCCM and patched Windows 10/server systems with McAfee enterprise solutions and can verify this?