2020 starts with a shift in cybersecurity and the level of transparency that we usually see from the alphabet agencies. Tuesday the 14th January saw the first ever patch issued by Microsoft that officially thanked the National Security Agency (NSA) of the United States for finding and reporting a vulnerability within the Microsoft Windows Operating System. Let's get into the weeds a bit and see what this means, what it affects and, more importantly, whether YOU are affected by it.
First, I have to thank everyone involved for not giving it a stupid name, a trend which admittedly has its benefits as well as its downsides, but one I personally am glad to see ommited from this one.
The vulnerability boils down to the fact that someone can spoof a code-signing certificate in order to make a malicious piece of code appear to come from a trusted and legitmate source. There would be no way to see if the code was legit as the certificate would appear to be from a trusted provider. The vulnerability is found in Crypt32.dll (Microsofts CryptoAPI) which validates Elliptic Curve Cryptography (ECC) Certificates. Any software that relies on the CertGetCertificateChain() function to perform a trust check may be vulnerable.
A successful attack would essentially mean that someone could perform a man-in-the-middle attack and decrypt confidential information.
Who does this affect? Or, more specifically, what operating systems are going to need patching?
Windows Server 2016 (also Server Core Edition)
Windows Server 2019 (also Server Core Edition)
Windows Server (Versions 1803,1903,1909)
Windows 10 for 32-Bit
Windows 10 for x64
Windows 10 (Versions 1607,1709,1803,1809,1903,1909) for 32bit,x64 and arm systems
This is a vulnerability which really needs to be patched because there are no other substantial mitigations or workarounds. If you are unable to patch, it is suggested that vulnerable machines are isolated by being put behind a proxy that performs TLS inspection. It is also recommended that you do not use Windows for validation of certificates, and make sure that you keep an eye on those logs.
Essentially, this vulnerability exploits trust. A successfull attack could impact things such as HTTPS connections, signed emails or files and, most importantly, signed executable code. This isn't a simple vulnerability to communicate, but it is classed as severe.
If you want to check X509 certificates manually to make sure they are truly valid, the Windows Certutil command or OpenSSL command can be used:
certutil - asn <filename>
openssl asn1parse -inform DER -in <filename> -i -dump
Those two commands will spit a bunch of stuff; the important thing to check, though, is anything to do with Elliptic Curves. I don't want to make this post too technical, but a nice way to check what is in the certificate vs what is legit is to use the certutil command to show registered curves:
certutil -displayEccCurve
certutil -displayEccCurve <curvename>
Anything that doesn't match exactly should be considered suspicious.
After patching you still need to do some work. Microsoft have said they have not seen any public exploitation of the vulnerability, but that doesn't mean it's not going to happen and those of you that have patched can help by flagging sources of attemps. After the application of the patch Windows will generate an Event ID 1 in the event viewer if it sees any attempt to exploit this issue:
Event-Log: Windows Logs/Application
Event Source: Audit-CVE
Event ID: 1
The big question remaning now is why did the NSA - one of the most secretive agencies in the world - decide to inform Microsoft? Afterall, agencies like the NSA actively exploit targets using zero-day exploits such as this and it would have been a great tool to use against enemies. There are only a few reasons and, let's not be coy here, its unlikely to be out of the goodness of their hearts. It's more likely that they have seen the exploit being used against US assets and, in order to protect them, have owned up to finding it. After all, it could have been in active use since the launch of Windows 10 (2015) and these types of tools have a shelf life that requires them to be used before someone else finds and patches it. I hope that this is not the last vulnerability discovered and reported by the alphabets, even if it is understandable that they don't always want to hand over new weapons to be disabled as soon as they discover them.
Editorial Update
So it's only been a few days, but I had to come back to this post, which shows how incredible the security community is and how fast it can move. Below is a link to a Proof of Concept (PoC) for the above attack. Please do not use this for bad stuff, this is always a double edged sword when dealing with vulnerabilties and disclosure. Those of us on the good side have to assume that more people will use the tools, techniques and knowledge for good than the few bad apples that will abuse it.
This PoC was created by https://twitter.com/ollypwn and is a nice fully working exploit for educational and research use only: https://github.com/ollypwn/CVE-2020-0601. Many thanks Olly for sharing your hard work!