Two proof-of-concept exploits for the “broad cryptographic vulnerability” discovered by the US National Security Agency (NSA), have just been publicly released.
Microsoft confirmed CVE-2020-0601 involves Windows CryptoAPI and says “a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates” which can be used to “to sign a malicious executable, making it appear the file was from a trusted, legitimate source.” It would also be used in encrypted communication such as HTTPS, with Microsoft saying “A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”
On Thursday, two PoC exploits were published to GitHub- both of which potentiate man-in-the-middle attacks. MitM attacks allow the attacker to spoof signatures for files, e-mails and fake signed-executable code inside programs.
Kudelski Security, who released one PoC report, said that they launched the PoC using a “curve P384” certificate, which uses ECC (USERTrust ECC Certificate Authority). They created a key which signed the “curve P384” certificate with an arbitrary domain name, which would then be recognised by Windows CryptoAPI as trusted.
The second PoC report was released by Ollypwn- a Danish-based security expert.
“When Windows checks whether the certificate is trusted, it’ll see that it has been signed by our spoofed CA,” said “Ollypwn” in his PoC exploit. “It then looks at the spoofed CA’s public key to check against trusted CA’s. Then it simply verifies the signature of our spoofed CA with the spoofed CA’s generator – this is the issue.”
Security expert Saleem Rashid developed another report- but kept the PoC exploit code private. He reported that the PoC permitted him to use fake TLS certificates to set up sites that appear legitimate.
Kudelski Security adds that the flaw isn’t easily exploitable for attackers, and targeted attacks are difficult because victims would need to visit a specific website.
“In the end, please keep in mind that such a vulnerability is not at risk of being exploited by script kiddies or ransomware”,“While it is still a big problem because it could have allowed a Man-in-the-Middle attack against any website, you would need to face an adversary that owns the network on which you operate, which is possible for nation-state adversaries, but less so for a script kiddie.”
AskWoody, tech support site, also stressed that the likelihood of an attack is low.
“There’s no question the code works — but it has a prerequisite. In order to get bitten by the security hole, you have to first visit a specific site. That site will load a security certificate that’s instrumental in making the PoC code work. That severely limits the threat, eh?”
Security experts like Bruce Schneier believe that publicly-released PoC exploits pose a threat, and can lead to future exploitation:
“Assume that this vulnerability has already been weaponized, probably by criminals and certainly by major governments”,“Even assume that the NSA is using this vulnerability — why wouldn’t it?”
Researchers suggest that customers keep themselves safe by making sure their systems are up-to-date. Microsoft has, of course, released a patch for the exploit this Tuesday, but worryingly some users report issues installing it. Hopefully, that problem will be rapidly resolved