Announced 24 February 2020

Score: High

A high scoring security issue affects IGEL Windows 10 IoT

Details

A vulnerability has been discovered in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates (CVE-2020-0601). An attacker could exploit this to sign a malware executable with a spoofed certificate so that it will look legitimate to Windows. This vulnerability is also known as “Curve Ball” or “Chain of Fools”.

Update instructions:

  • Update to IGEL Windows 10 IoT version 4.04.140 or newer.

References

NVD - CVE-2020-0601 Detail: https://nvd.nist.gov/vuln/detail/CVE-2020-0601