{"id":12687,"date":"2020-01-20T13:07:40","date_gmt":"2020-01-20T12:07:40","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=12687"},"modified":"2023-08-25T22:56:54","modified_gmt":"2023-08-25T20:56:54","slug":"patchday-probleme-mit-sccm-mcafee-crypt32-dll-jan-2020","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/01\/20\/patchday-probleme-mit-sccm-mcafee-crypt32-dll-jan-2020\/","title":{"rendered":"Patchday: Issues with SCCM, McAfee & Crypt32.dll (Jan 2020)?"},"content":{"rendered":"

\"Windows[German<\/a>]Are there issues caused by updates from the last patchday (January 2020), when the file Crypt32.dll<\/em> was patched. A reader sent me a question about this topic. He is using McAfee and SCCM in an enterprise environment. Currently McAfee seems to block the SCCM agent smsexec.exe<\/em> from accessing an RSA key. <\/p>\n

<\/p>\n

Background: The NSA vulnerability CVE-2020-0601<\/h2>\n

\"\"On the January 2020 patchday, the vulnerability CVE-2020-0601 discovered by the NSA and reported to Microsoft became public. As a reminder, there is a spoofing vulnerability CVE-2020-0601<\/a>  in the Crypt32.dll library (CryptoAPI) that could be exploited by attackers. An attacker could use a spoofed code-signing certificate to sign a malicious executable file.<\/p>\n

A successful exploit could also allow the attacker to perform man-in-the-middle attacks and decrypt confidential information about user connections to the affected software. I had reported on this issue in the blog post Windows: Is a critical cryptography patch coming today?<\/a> as well as in the article Windows: PoC for CryptoAPI Bug CVE-2020-0601 are out<\/a>. Microsoft also published this blog<\/a> post on Jan 14, 2020.  <\/p>\n

Microsoft states that Windows 10, Windows Server 2016 and 2019 are affected and has provided cumulative updates to close the vulnerability (see CVE-2020-0601<\/a> and my blog post Patchday Windows 10-Updates (December 10, 2019)<\/a>). <\/p>\n

A reader reported an issue<\/h2>\n

Today I received a mail from German blog reader Patrik D. asking if I know about issues with the patched Crypt32.dl. I will post his information here in the blog – maybe someone else is affected and can confirm this. Patrick wrote<\/p>\n

\n

After the patchday this morning, I noticed the following [event log entries] in interaction with SCCM and McAfee. <\/p>\n

Event ID McAfee Endpoint Security from EventID=18060
NT AUTHORITY\\SYSTEM ran smsexec.exe, which tried to access C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\
b173a4ca6eeb3a8529b5390fef6b81be_abb57870-155d-4625-9eb2-c73c0e888e7d, violating the rule \"Malware Behavior : Windows EFS abuse\", and was blocked. For information about how to respond to this event, see KB85494. was raised.
Event Descritpion:
EventID=18060 <\/p>\n

If I look at the file, it is a Self Signed \"SMS User Service\" certificate. Since the Crypt32.dll has just been patched, this could be the reason. The cert itself is still valid. <\/p>\n

Furthermore the same happens with another software. Have you already had any user notification? Anyway, we will escalate it to Premier-Support & McAfee.<\/p>\n<\/blockquote>\n

I myself have not heard anything like that and the web does not know anything like that yet. But it looks like the agent smsexec.exe<\/em> (SCCM Microsoft SMS Agent Host service) is prevented by McAfee from accessing a certificate. Anyone who uses the constellation of SCCM and patched Windows 10\/server systems with McAfee enterprise solutions and can verify this?<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Are there issues caused by updates from the last patchday (January 2020), when the file Crypt32.dll was patched. A reader sent me a question about this topic. He is using McAfee and SCCM in an enterprise environment. Currently McAfee seems … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,22,2],"tags":[166,195,194],"class_list":["post-12687","post","type-post","status-publish","format-standard","hentry","category-issue","category-update","category-windows","tag-issues","tag-update","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12687","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=12687"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12687\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=12687"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=12687"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=12687"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}