Update 1.15.2020 – It appears that only Windows 10 and Windows Server 2016/2019 are affected.
Also, see my post here detailing the patch hyperlinks: https://www.virtualizationhowto.com/2020/01/download-crypt32-dll-patch-tuesday-security-rollup/
If you are running Windows Server Hyper-V to power your production virtual environments as well as running Windows “anything” in your environment, there is big news that broke as of yesterday regarding a serious vulnerability that was recently discovered in Microsoft Windows operating systems regarding the file “Crypt32.dll”. There aren’t many details on the vulnerability at this point, however, this is a bad one that really needs to be patched as soon as possible by all running Windows in their environments due to the nature of what the vulnerability affects. Crypt32.dll vulnerability affects Hyper-V and Windows operating systems so much so that Microsoft is getting this ready for patch Tuesday. Let’s look more into this new vulnerability and how your Hyper-V and Windows OS’s are affected.
Crypt32.dll Vulnerability Details
There are tons of blog posts and messages circulating today regarding the Crypt32.dll vulnerability. What are the details of this security risk?
The details regarding the Crypt32.dll vulnerability include that it affects ALL versions of Windows since Windows NT, so you are not protected if you are running a recent version of Windows client operating system or Windows Server.
The vulnerability affects the crypt32.dll which is a module in Windows that pertains to certificate and cryptographic messaging functions in the CyrptoAPI. As we all know, cryptography is a big deal and it serves to protect data as it is in-flight and at-rest. Any compromise of this part of the Windows subsystem is a critical threat.
Not only do the implications affect applications running on Windows like Internet Explorer and Edge, it will also affect the authentication mechanisms for important security related functions carried out in Windows like authentication.
Another alarming detail is that with this vulnerability it has been noted that it may be possible to spoof digital signatures that are used to verify identities from various reputable software vendors.
Crypt32.dll Vulnerability Affects Hyper-V and Windows Operating Systems
Since this vulnerability is extremely wide in scope, it not only affects client operating systems and Windows Server operating systems, it also affects hypervisor hosts running Hyper-V on top of Windows Server.
Crypt32.dll is involved in many very critical functions related to Hyper-V. Just a quick Google, one of the ones that I immediately think of is BitLocker. It looks to be involved in the BitLocker process. Additional Hyper-V capabilities that are deeply intertwined with crypt32.dll would certainly include the Guarded Fabric used for shielded virtual machines.
As you can imagine, the security implications of having this entire subsystem and components related to cryptographic processes used in Hyper-V compromised, could be catastrophic.
Hyper-V Patch Crypt32.dll Vulnerability with Cluster Aware Updating
In thinking about a way to get this vulnerability patched in your Windows Server Hyper-V environment, a great way to roll through your Hyper-V hosts and get your hosts updated with the latest patches including the on-to-be-released Microsoft patch(es) for the crypt32.dll vulnerability, is using Cluster-Aware Updating (CAU). It allows updating your Hyper-V clusters in a fully automated way.
How is Cluster-Aware Updating used? The following is taken from the Cluster-Aware Updating KB from Microsoft.
Cluster-Aware Updating is an automated feature that enables you to update servers in a failover cluster with little or no loss in availability during the update process. During an Updating Run, Cluster-Aware Updating transparently performs the following tasks:
- Puts each node of the cluster into node maintenance mode.
- Moves the clustered roles off the node.
- Installs the updates and any dependent updates.
- Performs a restart if necessary.
- Brings the node out of maintenance mode.
- Restores the clustered roles on the node.
- Moves to update the next node.
There are two modes for using Cluster-Aware Updating:
Self-updating mode. In self-updating mode, CAU can update the failover cluster ina fully automated way, taking care of the process end-to-end. This can be performed ad-hoc as well by an administrator.
Remote-updating mode – In this mode a separate remote machine, an Update Coordinator, is configured with CAU tools. It is not a member of the cluster itself, however, it coordinates the update process and can be used to monitor the process in real-time.
Below is a description of the components needed for the two different modes.
|Installed component||Self-updating mode||Remote-updating mode|
|Failover Clustering feature||Required on all cluster nodes||Required on all cluster nodes|
|Failover Clustering Tools||Required on all cluster nodes||– Required on remote-updating computer|
– Required on all cluster nodes to run the Save-CauDebugTrace cmdlet
|CAU clustered role||Required||Not required|
How do you get to Cluster-Aware Updating? If you have Failover-Clustering and Hyper-V installed, you should see the Cluster Aware Updating tool available under your Tools menu in Server Manager.
Hyper-V Cluster-Aware Updating Resources
If you want to look at more cluster-aware updating resources, check out the below:
Crypt32.dll Vulnerability Resources
Check out the following articles on the Crypt32.dll vulnerability:
This is going to be interesting to see how Crypt32.dll Vulnerability Affects Hyper-V and Windows Operating Systems as well as how the patch plays out with Patch Tuesday. The implications of this vulnerability are certainly scary and should lead all of us to think about our security stance across the environment.
If you have Hyper-V running your business-critical virtual machines, you need to make sure you are fully patched to avoid having your hypervisor host compromised with a serious crytographic vulnerability affecting virtually all aspects of Windows and cryptogrphic operations. Stay tuned here for more as we know more.