Crypt32.dll Vulnerability Affects Hyper-V and Windows Operating Systems

0

Update 1.15.2020 – It appears that only Windows 10 and Windows Server 2016/2019 are affected.

Also, see my post here detailing the patch hyperlinks: https://www.virtualizationhowto.com/2020/01/download-crypt32-dll-patch-tuesday-security-rollup/

If you are running Windows Server Hyper-V to power your production virtual environments as well as running Windows “anything” in your environment, there is big news that broke as of yesterday regarding a serious vulnerability that was recently discovered in Microsoft Windows operating systems regarding the file “Crypt32.dll”. There aren’t many details on the vulnerability at this point, however, this is a bad one that really needs to be patched as soon as possible by all running Windows in their environments due to the nature of what the vulnerability affects. Crypt32.dll vulnerability affects Hyper-V and Windows operating systems so much so that Microsoft is getting this ready for patch Tuesday. Let’s look more into this new vulnerability and how your Hyper-V and Windows OS’s are affected.

Crypt32.dll Vulnerability Details

There are tons of blog posts and messages circulating today regarding the Crypt32.dll vulnerability. What are the details of this security risk?

The details regarding the Crypt32.dll vulnerability include that it affects ALL versions of Windows since Windows NT, so you are not protected if you are running a recent version of Windows client operating system or Windows Server.

The vulnerability affects the crypt32.dll which is a module in Windows that pertains to certificate and cryptographic messaging functions in the CyrptoAPI. As we all know, cryptography is a big deal and it serves to protect data as it is in-flight and at-rest. Any compromise of this part of the Windows subsystem is a critical threat.

Not only do the implications affect applications running on Windows like Internet Explorer and Edge, it will also affect the authentication mechanisms for important security related functions carried out in Windows like authentication.

Another alarming detail is that with this vulnerability it has been noted that it may be possible to spoof digital signatures that are used to verify identities from various reputable software vendors.

Crypt32.dll Vulnerability Affects Hyper-V and Windows Operating Systems

Since this vulnerability is extremely wide in scope, it not only affects client operating systems and Windows Server operating systems, it also affects hypervisor hosts running Hyper-V on top of Windows Server.

Crypt32.dll is involved in many very critical functions related to Hyper-V. Just a quick Google, one of the ones that I immediately think of is BitLocker. It looks to be involved in the BitLocker process. Additional Hyper-V capabilities that are deeply intertwined with crypt32.dll would certainly include the Guarded Fabric used for shielded virtual machines.

As you can imagine, the security implications of having this entire subsystem and components related to cryptographic processes used in Hyper-V compromised, could be catastrophic.

Hyper-V Patch Crypt32.dll Vulnerability with Cluster Aware Updating

In thinking about a way to get this vulnerability patched in your Windows Server Hyper-V environment, a great way to roll through your Hyper-V hosts and get your hosts updated with the latest patches including the on-to-be-released Microsoft patch(es) for the crypt32.dll vulnerability, is using Cluster-Aware Updating (CAU). It allows updating your Hyper-V clusters in a fully automated way.

How is Cluster-Aware Updating used? The following is taken from the Cluster-Aware Updating KB from Microsoft.

Cluster-Aware Updating is an automated feature that enables you to update servers in a failover cluster with little or no loss in availability during the update process. During an Updating Run, Cluster-Aware Updating transparently performs the following tasks:

  1. Puts each node of the cluster into node maintenance mode.
  2. Moves the clustered roles off the node.
  3. Installs the updates and any dependent updates.
  4. Performs a restart if necessary.
  5. Brings the node out of maintenance mode.
  6. Restores the clustered roles on the node.
  7. Moves to update the next node.

There are two modes for using Cluster-Aware Updating:

Self-updating mode. In self-updating mode, CAU can update the failover cluster ina fully automated way, taking care of the process end-to-end. This can be performed ad-hoc as well by an administrator.

Remote-updating mode – In this mode a separate remote machine, an Update Coordinator, is configured with CAU tools. It is not a member of the cluster itself, however, it coordinates the update process and can be used to monitor the process in real-time.

Below is a description of the components needed for the two different modes.

Installed componentSelf-updating modeRemote-updating mode
Failover Clustering featureRequired on all cluster nodesRequired on all cluster nodes
Failover Clustering ToolsRequired on all cluster nodes– Required on remote-updating computer
– Required on all cluster nodes to run the Save-CauDebugTrace cmdlet
CAU clustered roleRequiredNot required

How do you get to Cluster-Aware Updating? If you have Failover-Clustering and Hyper-V installed, you should see the Cluster Aware Updating tool available under your Tools menu in Server Manager.

Using-Cluster-aware-Updating-to-update-Hyper-V-clusters-with-crypt32.dll-patch Crypt32.dll Vulnerability Affects Hyper-V and Windows Operating Systems
Using Cluster-aware Updating to update Hyper-V clusters with crypt32.dll patch

Hyper-V Cluster-Aware Updating Resources

If you want to look at more cluster-aware updating resources, check out the below:

Crypt32.dll Vulnerability Resources

Check out the following articles on the Crypt32.dll vulnerability:

Wrapping Up

This is going to be interesting to see how Crypt32.dll Vulnerability Affects Hyper-V and Windows Operating Systems as well as how the patch plays out with Patch Tuesday. The implications of this vulnerability are certainly scary and should lead all of us to think about our security stance across the environment.

If you have Hyper-V running your business-critical virtual machines, you need to make sure you are fully patched to avoid having your hypervisor host compromised with a serious crytographic vulnerability affecting virtually all aspects of Windows and cryptogrphic operations. Stay tuned here for more as we know more.

Vembu BDR Suite