Two PoC exploits for CVE-2020-0601 NSACrypto flaw released

Researchers published proof-of-concept (PoC) code exploits for a recently-patched CVE-2020-0601 flaw in the Windows operating system reported by NSA.

Security researchers have published two proof-of-concept (PoC) code exploits for the recently-patched CVE-2020-0601 vulnerability that has been reported to Microsoft by the US National Security Agency (NSA).

Microsoft Patch Tuesday updates for January 2020 address a total of 49 vulnerabilities in various products, including a serious flaw, tracked as CVE-2020-0601, in the core cryptographic component of Windows 10, Server 2016 and 2019 editions.

The CVE-2020-0601 flaw is different from any other previously addressed flaws because it was reported by the NSA and this is the first time that the US intelligence agency has reported a bug to the tech giant.

The flaw, dubbed ‘NSACrypt’ or ‘CurveBall,’ resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for data encryption.

The flaw affects the way Crypt32.dll module validates Elliptic Curve Cryptography (ECC) certificates.

In a press release published by the NSA, the agency explains “the certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.”

“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.” reads the security advisory published by Microsoft.

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”

An attacker could exploit the flaw to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

An attacker could also trigger the issue to spoof digital signatures on software tricking the system into believing that it is a legitimate application.

NSA pointed out that the CVE-2020-0601 vulnerability can allow an attacker to:

launch MitM (man-in-the-middle) attacks and intercept and fake HTTPS connections
fake signatures for files and emails
fake signed-executable code launched inside Windows

The researcher Tal Be’ery analyzed the flaw and explained that the issue stems from a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft’s code.

According to a high-level technical analysis of the bug security researcher Tal Be’ery, “the root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft’s code.”

The US DHS CISA agency also issued an emergency directive urging government agencies to address the bug in their systems in ten days.

“CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information.” reads the emergency directive.

Security expert Saleem Rashid first created a proof-of-concept code to fake TLS certificates and allows attackers to set up a site that look-like legitimate ones.

Rashid didn’t publish the exploit code to avoid miscreants using it in the wild. Unfortunately, other experts decided to publicly release the exploit code for the CVE-2020-0601 flaw. Swiss cybersecurity firm Kudelski Security published on GitHub a working exploit for the flaw. Danish security researcher Ollypwn also published an exploit for the CurveBall vulnerability.

The availability online of working exploits for the CVE-2020-0601 vulnerability ensures that threat actors will start exploiting it, for this reason it is essential to patch systems.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CVE-2020-0601, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.