- Microsoft disclosed a vulnerability in their monthly Patch Tuesday referenced under CVE-2020-0601.
- The vulnerability was discovered by the U.S. National Security Agency, anounced today (2020-01-14) in their press conference, followed by a blog post and an official security advisory.
- The flaw is located in the "CRYPT32.DLL" file under the C:\Windows\System32\ directory.
-
NSA description:
-
NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality.
-
The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.
-
The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.
-
Examples where validation of trust may be impacted include:
- HTTPS connections
- Signed files and emails
- Signed executable code launched as user-mode processes
-
The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors.
-
NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.
-
The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.
-
Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.
-
If you really want to deep dive in the cryptographic part and understand better the root cause of this vulnerability, Tal Be'ery published today a very didactic explanation:
-
Publicly available: YES
-
PoC published the 2020-01-16 1208 AM GMT+1 (PoC1)
- Interesting nuggets: RSA 2048, use NIST P-384 (secp384r1) curve, 365 days default expire date.
- 1 Sample uploaded on VTI, seems related to the previous PoC, but no confirmation
- Updated PoC (2020-01-16 1448)
- Updated include new nuggets: 10000 days default expire date, now abuse CA: "Microsoft ECC Product Root Certificate Authority 2018", still use NIST P-384 (secp384r1) curve, added a mark in the end "Signed by ollypwn"
-
PoC published the 2020-01-16 1214 AM GMT+1 [PoC2]
- Interesting nuggets: default serial number = 0x5c8b99c55a94c5d27156decd8980cc26, use NIST P-384 (secp384r1) curve, 500 days default expire date, configured to abuse USERTrust ECC Certification Authority, some others hardcoded information but could be changed easily, C = CH, ST = Vaud, L = Lausanne, O = Kudelski Security, CN = 85.184.255.36.
-
-
Privately available: YES (Around 10 private PoC)
-
In The Wild Exploitation: YES
- Microsoft Security Advisory
- NSA Security Advisory
- Microsoft BlogPost
- NSA BlogPost
- CISA-ED20-02
- CISA-Alert-aa20-014a
- CERT-FR_ALERTE
- CERT/CC VU#849224
- NCSC IE
- Research BlogPost
- Windows 10 for 32-bit Systems
- Windows 10 for x64-based Systems
- Windows 10 Version 1607 for 32-bit Systems
- Windows 10 Version 1607 for x64-based Systems
- Windows 10 Version 1709 for 32-bit Systems
- Windows 10 Version 1709 for ARM64-based Systems
- Windows 10 Version 1709 for x64-based Systems
- Windows 10 Version 1803 for 32-bit Systems
- Windows 10 Version 1803 for ARM64-based Systems
- Windows 10 Version 1803 for x64-based Systems
- Windows 10 Version 1809 for 32-bit Systems
- Windows 10 Version 1809 for ARM64-based Systems
- Windows 10 Version 1809 for x64-based Systems
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server 2016
- Windows Server 2016 (Server Core installation)
- Windows Server 2019
- Windows Server 2019 (Server Core installation)
- Windows Server, version 1803 (Server Core Installation)
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
- Exploit:Win32/CVE-2020-0601.A
- Exploit:Win32/CVE-2020-0601.B
- Exploit:Win32/CVE-2020-0601.D
- Exploit:Win32/CVE-2020-0601.E
- Matt Graeber gave a us a oneliner command to check quickly in the log if there's any evidence of an event linked to CVE-2020-0601 (Application/EID 1-2)
Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName = 'Microsoft-Windows-Audit-CVE' } | select -Property * -ExcludeProperty MachineName, UserId
- Not affected if you're running the following or up version: 79.0.3945.130
- Security update changelog
- Code Commit CVE-2020-0601
- Deep Security and Vulnerability Protection
- Rule 1010130 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
- Apex One Vulnerability Protection (iVP)
- Rule 1010130 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
- TippingPoint Filter
- 36956: HTTP: Microsoft Windows CryptoAPI Spoofing Vulnerability
- Deep Security Log Inspection
- Rule 1010129 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
- Deep Discovery Inspector (DDI)
- Rule 3202 – CVE-2020-0601 Spoofed Certificate Attempt – TLS – Beta
- Trend Micro Microsoft Windows CryptoAPI Spoofing Vulnerability Assessment Tool (SHA256: 11e6b2e96e4e10c00b137aa1c362ac6ac7e65751948bd1f4ef2e34312da8dac0)
- TrendMicro BlogPost
- TrendMicro CurveBall BlogPost
- TrendMicro Security Alert
- 1:52593 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
- 1:52594 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
- 1:52595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
- 1:52596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
- Kaspersky security products blocked fake ssl forged certificates, I wasn't able to confirm for the PE or script.
- Kaspersky BlogPost
- QID: 91595
- Qualys BlogPost
- Thanks to 0xxon for the work on Zeek / Bro iDS
- GitHub
- Zeek BlogPost
- Tweet 0xxon
- 2840457 - ETPRO EXPLOIT Possible Spoofed ECDSA Certificate Inbound (CVE-2020-0601) M1 (exploit.rules)
- 2840458 - ETPRO EXPLOIT Possible Spoofed ECDSA Certificate Inbound (CVE-2020-0601) M2 (exploit.rules)
- Thanks to Florian Roth, there's a sigma rule to detect an exploitation attempst on patched devices.
- GITHUB Sigma Rule
- Tweet Florian Roth
- Offcial guidace: Update your system !
- Website available to check if you're browser is vulnerable to CVE-2020-0601
- Browser Website Check
- From Didier Stevens blog, with a bit of VBA, you can test, if your system is patched, to create an emulated event.
- Didier Stevens Blog: Using CveEventWrite From VBA CVE-2020-0601
[System.Diagnostics.FileVersionInfo]::GetVersionInfo("C:\Windows\System32\crypt32.dll").FileVersionRaw.ToString()
- the new DLL is signed with the following timestamp "Friday 3 january 2020 06:14:45"
- Windows 10, the new DLL has the following version "10.0.18362.592"
- Windows 10, the new DLL has the following hashes:
- CRC32: 2B82D538
- CRC64: 14D5AADB0BD14B22
- SHA256: E832E3A58B542E15A169B1545CE82451ACE19BD361FD81764383048528F9B540
- SHA1: 7A9DD389B0E3C124D4BFE5C1FF15F9A93285514F
- BLAKE2sp: EEE317CD4E1C395DD1DBCA3DCD066728FAE00250D6884EA63B9F6CAD83C14610
- the new DLL is signed with the following timestamp "Friday 20 december 2019 06:10:17"
- the new DLL has the following version "10.0.14393.3442"
- the new DLL has the following hashes:
- CRC32: A3F4A8B6
- CRC64: 190E000CED3B17BB
- SHA256: 6AE927255B0576AF136DF57210A1BA64C42A504D50867F58B7A128B4FD26A77C
- SHA1: EF881BAE1A18EC6017DDC9AC5076ED00730C6572
- BLAKE2sp: 2EAAAE609B2A1D1353CD780BEDF30089C7F0399BC9288E197A04DF2C23FDC767
- You can detect devices patched with the following oneliner command:
SELECT * FROM patches WHERE HOTFIX_ID='KB4534273';
- Thanks to Kolide Kolide Tweet
- You can detect in your patched devices any try of exploitation with the following oneliner command:
sourcetype=WinEventLog EventCode=1 LogName=Application Message="*[CVE-2020-0601]*"
- Splunk BlogPost
- Thanks to Richard Davis DAVISRICHARDG Tweet
- Thanks to TomU who explained the necessary configuration for recovering the events in Splunk HF inputs.conf
- Check his github gist Matt Graeber Gist
- Tweets explanations Tweets
- Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak
Is it possible to update only that DLL ? (I don't really want to update my entire system for 1 faulty file)
If yes, on what versions of Windows does it work ? (I have 1903 on x86 system, I can check this one for you.)