CVE-2020-0601 AKA ChainOfFools OR CurveBall
General
- Microsoft disclosed a vulnerability in their monthly Patch Tuesday referenced under CVE-2020-0601.
- The vulnerability was discovered by the U.S. National Security Agency, anounced today (2020-01-14) in their press conference, followed by a blog post and an official security advisory.
- The flaw is located in the "CRYPT32.DLL" file under the C:\Windows\System32\ directory.
Vulnerability explanation
-
NSA description:
-
NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality.
-
The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.
-
The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.
-
Examples where validation of trust may be impacted include:
- HTTPS connections
- Signed files and emails
- Signed executable code launched as user-mode processes
-
The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors.
-
NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.
-
The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.
-
Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.
-
If you really want to deep dive in the cryptographic part and understand better the root cause of this vulnerability, Tal Be'ery published today a very didactic explanation:
EXPLOIT
-
Publicly available: YES
-
PoC published the 2020-01-16 1208 AM GMT+1 (PoC1)
- Interesting nuggets: RSA 2048, use NIST P-384 (secp384r1) curve, 365 days default expire date.
- 1 Sample uploaded on VTI, seems related to the previous PoC, but no confirmation
- Updated PoC (2020-01-16 1448)
- Updated include new nuggets: 10000 days default expire date, now abuse CA: "Microsoft ECC Product Root Certificate Authority 2018", still use NIST P-384 (secp384r1) curve, added a mark in the end "Signed by ollypwn"
-
PoC published the 2020-01-16 1214 AM GMT+1 [PoC2]
- Interesting nuggets: default serial number = 0x5c8b99c55a94c5d27156decd8980cc26, use NIST P-384 (secp384r1) curve, 500 days default expire date, configured to abuse USERTrust ECC Certification Authority, some others hardcoded information but could be changed easily, C = CH, ST = Vaud, L = Lausanne, O = Kudelski Security, CN = 85.184.255.36.
-
-
Privately available: YES (Around 10 private PoC)
-
In The Wild Exploitation: YES
REFERENCES
- Microsoft Security Advisory
- NSA Security Advisory
- Microsoft BlogPost
- NSA BlogPost
- CISA-ED20-02
- CISA-Alert-aa20-014a
- CERT-FR_ALERTE
- CERT/CC VU#849224
- NCSC IE
- Research BlogPost
Affected Versions (Exhaustive list)
- Windows 10 for 32-bit Systems
- Windows 10 for x64-based Systems
- Windows 10 Version 1607 for 32-bit Systems
- Windows 10 Version 1607 for x64-based Systems
- Windows 10 Version 1709 for 32-bit Systems
- Windows 10 Version 1709 for ARM64-based Systems
- Windows 10 Version 1709 for x64-based Systems
- Windows 10 Version 1803 for 32-bit Systems
- Windows 10 Version 1803 for ARM64-based Systems
- Windows 10 Version 1803 for x64-based Systems
- Windows 10 Version 1809 for 32-bit Systems
- Windows 10 Version 1809 for ARM64-based Systems
- Windows 10 Version 1809 for x64-based Systems
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server 2016
- Windows Server 2016 (Server Core installation)
- Windows Server 2019
- Windows Server 2019 (Server Core installation)
- Windows Server, version 1803 (Server Core Installation)
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
How-To detect that
Vendors detections
Microsoft
Definitions
- Exploit:Win32/CVE-2020-0601.A
- Exploit:Win32/CVE-2020-0601.B
- Exploit:Win32/CVE-2020-0601.D
- Exploit:Win32/CVE-2020-0601.E
Azure Sentinel
Inside Windows logs
- Matt Graeber gave a us a oneliner command to check quickly in the log if there's any evidence of an event linked to CVE-2020-0601 (Application/EID 1-2)
Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName = 'Microsoft-Windows-Audit-CVE' } | select -Property * -ExcludeProperty MachineName, UserId
Crowdstrike
CheckPoint
Tanium
Tehtris XDR
Google Chrome
- Not affected if you're running the following or up version: 79.0.3945.130
- Security update changelog
- Code Commit CVE-2020-0601
TrendMicro
- Deep Security and Vulnerability Protection
- Rule 1010130 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
- Apex One Vulnerability Protection (iVP)
- Rule 1010130 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
- TippingPoint Filter
- 36956: HTTP: Microsoft Windows CryptoAPI Spoofing Vulnerability
- Deep Security Log Inspection
- Rule 1010129 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
- Deep Discovery Inspector (DDI)
- Rule 3202 – CVE-2020-0601 Spoofed Certificate Attempt – TLS – Beta
- Trend Micro Microsoft Windows CryptoAPI Spoofing Vulnerability Assessment Tool (SHA256: 11e6b2e96e4e10c00b137aa1c362ac6ac7e65751948bd1f4ef2e34312da8dac0)
- TrendMicro BlogPost
- TrendMicro CurveBall BlogPost
- TrendMicro Security Alert
SOCPrime
Symantec
ZSCALER
SentinelOne
SNORT
- 1:52593 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
- 1:52594 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
- 1:52595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
- 1:52596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
McAfee
Fortinet
Kaspersky
- Kaspersky security products blocked fake ssl forged certificates, I wasn't able to confirm for the PE or script.
- Kaspersky BlogPost
Paloalto Networks (PAN)
Qualys
- QID: 91595
- Qualys BlogPost
Tenable
Zeek / BRO IDS
- Thanks to 0xxon for the work on Zeek / Bro iDS
- GitHub
- Zeek BlogPost
- Tweet 0xxon
Emerging Threats Pro:
- 2840457 - ETPRO EXPLOIT Possible Spoofed ECDSA Certificate Inbound (CVE-2020-0601) M1 (exploit.rules)
- 2840458 - ETPRO EXPLOIT Possible Spoofed ECDSA Certificate Inbound (CVE-2020-0601) M2 (exploit.rules)
Rapid7 - InsightVM
SIGMA RULE
- Thanks to Florian Roth, there's a sigma rule to detect an exploitation attempst on patched devices.
- GITHUB Sigma Rule
- Tweet Florian Roth
Sophos
- Offcial guidace: Update your system !
ESET
Website to check if your device is vulnerable
- Website available to check if you're browser is vulnerable to CVE-2020-0601
- Browser Website Check
EMULATE CVE-2020-0601 exploitation attempt
- From Didier Stevens blog, with a bit of VBA, you can test, if your system is patched, to create an emulated event.
- Didier Stevens Blog: Using CveEventWrite From VBA CVE-2020-0601
DETECT
Detect the current version of "crypt32.dll"
Detect with PowerShell
[System.Diagnostics.FileVersionInfo]::GetVersionInfo("C:\Windows\System32\crypt32.dll").FileVersionRaw.ToString()
Check the file signatures and dates
On Windows 10 Clients
- the new DLL is signed with the following timestamp "Friday 3 january 2020 06:14:45"
- Windows 10, the new DLL has the following version "10.0.18362.592"
- Windows 10, the new DLL has the following hashes:
- CRC32: 2B82D538
- CRC64: 14D5AADB0BD14B22
- SHA256: E832E3A58B542E15A169B1545CE82451ACE19BD361FD81764383048528F9B540
- SHA1: 7A9DD389B0E3C124D4BFE5C1FF15F9A93285514F
- BLAKE2sp: EEE317CD4E1C395DD1DBCA3DCD066728FAE00250D6884EA63B9F6CAD83C14610
On Windows Server 2016 version 1607
- the new DLL is signed with the following timestamp "Friday 20 december 2019 06:10:17"
- the new DLL has the following version "10.0.14393.3442"
- the new DLL has the following hashes:
- CRC32: A3F4A8B6
- CRC64: 190E000CED3B17BB
- SHA256: 6AE927255B0576AF136DF57210A1BA64C42A504D50867F58B7A128B4FD26A77C
- SHA1: EF881BAE1A18EC6017DDC9AC5076ED00730C6572
- BLAKE2sp: 2EAAAE609B2A1D1353CD780BEDF30089C7F0399BC9288E197A04DF2C23FDC767
PowerShell & SCCM are your friends to gain a visibility in your networks
Detect with OSQUERY if your device is patched
- You can detect devices patched with the following oneliner command:
SELECT * FROM patches WHERE HOTFIX_ID='KB4534273';
- Thanks to Kolide Kolide Tweet
Detect with SPLUNK if your device is attacked by CVE-2020-0601
- You can detect in your patched devices any try of exploitation with the following oneliner command:
sourcetype=WinEventLog EventCode=1 LogName=Application Message="*[CVE-2020-0601]*"
- Splunk BlogPost
- Thanks to Richard Davis DAVISRICHARDG Tweet
- Thanks to TomU who explained the necessary configuration for recovering the events in Splunk HF inputs.conf
Parses the ASN.1-encoded ECC curve parameters from an Audit-CVE By Matt Graeber
- Check his github gist Matt Graeber Gist
- Tweets explanations Tweets
Errors, typos, something to say ?
- Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak
Why the hell it is possible for a server to send a root certificate which is normally available client-side?