Skip to content

Instantly share code, notes, and snippets.

@raystyle

raystyle/20200114-TLP-WHITE_CVE-2020-0601.md

Forked from SwitHak/20200114-TLP-WHITE_CVE-2020-0601.md
Created January 15, 2020 09:09
Show Gist options
  • Save raystyle/96dacc10b52a64857fd396292a653559 to your computer and use it in GitHub Desktop.
Save raystyle/96dacc10b52a64857fd396292a653559 to your computer and use it in GitHub Desktop.
Download ZIP
BlueTeam CheatSheet * CVE-2020-0601 * crypto32.dll
Raw
20200114-TLP-WHITE_CVE-2020-0601.md

CVE-2020-0601

General

  • Microsoft disclosed a vulnerability in their monthly Patch Tuesday referenced under CVE-2020-0601.
  • The vulnerability was discovered by the U.S. National Security Agency, anounced today (2020-01-14) in their press conference, followed by a blog post and an official security advisory.
  • The flaw is located in the "CRYPT32.DLL" file under the C:\Windows\System32\ directory.

Vulnerability explanation

  • NSA description:

  • NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality.

  • The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.

  • The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.

  • Examples where validation of trust may be impacted include:

    • HTTPS connections
    • Signed files and emails
    • Signed executable code launched as user-mode processes

  • The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors.

  • NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.

  • The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.

  • Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.

  • Author's note: still assessing the situation

REFERENCES

Affected Versions

  • Windows 10 for 32-bit Systems
  • Windows 10 for x64-based Systems
  • Windows 10 Version 1607 for 32-bit Systems
  • Windows 10 Version 1607 for x64-based Systems
  • Windows 10 Version 1709 for 32-bit Systems
  • Windows 10 Version 1709 for ARM64-based Systems
  • Windows 10 Version 1709 for x64-based Systems
  • Windows 10 Version 1803 for 32-bit Systems
  • Windows 10 Version 1803 for ARM64-based Systems
  • Windows 10 Version 1803 for x64-based Systems
  • Windows 10 Version 1809 for 32-bit Systems
  • Windows 10 Version 1809 for ARM64-based Systems
  • Windows 10 Version 1809 for x64-based Systems
  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1803 (Server Core Installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

How-To detect that

Vendors detections

Microsoft

Inside Windows logs

  • Matt Graeber gave a us a oneliner command to check quickly in the log if there's any evidence of an event linked to CVE-2020-0601 (Application/EID 1-2)
Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName = 'Microsoft-Windows-Audit-CVE' } | select -Property * -ExcludeProperty MachineName, UserId

Crowdstrike

Symantec

SNORT

  • 1:52593 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
  • 1:52594 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
  • 1:52595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
  • 1:52596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)

McAfee

  • [TBD]

Sophos

  • [TBD]

ESET

  • [TBD]

Kaspersky

  • [TBD]

DETECT

Detect the current version of "crypto32.dll"

Check the file signatures and dates

  • Eg: On windows 10, the new DLL is signed with the following timestamp "Friday 3 january 2020 06:14:45"

  • Eg: On Windows 10, the new DLL has the following version "10.0.18362.592"

  • Eg: On Windows 10, the new DLL has the following hashes:

    • CRC32: 2B82D538
    • CRC64: 14D5AADB0BD14B22
    • SHA256: E832E3A58B542E15A169B1545CE82451ACE19BD361FD81764383048528F9B540
    • SHA1: 7A9DD389B0E3C124D4BFE5C1FF15F9A93285514F
    • BLAKE2sp: EEE317CD4E1C395DD1DBCA3DCD066728FAE00250D6884EA63B9F6CAD83C14610

  • PowerShell & SCCM are your friends to gain a visibility in your networks

Detect with OSQUERY

  • You can detect devices patched with the following oneliner command:
SELECT * FROM patches WHERE HOTFIX_ID='KB4534273';

Errors, typos, something to say ?

  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment