Two PoC exploits for CVE-2020-0601 NSACrypto flaw released

Researchers published proof-of-concept (PoC) code exploits for a recently-patched CVE-2020-0601 flaw in the Windows operating system reported by NSA.

Security researchers have published two proof-of-concept (PoC) code exploits for the recently-patched CVE-2020-0601 vulnerability that has been reported to Microsoft by the US National Security Agency (NSA).

Microsoft Patch Tuesday updates for January 2020 address a total of 49 vulnerabilities in various products, including a serious flaw, tracked as CVE-2020-0601, in the core cryptographic component of Windows 10, Server 2016 and 2019 editions.

The CVE-2020-0601 flaw is different from any other previously addressed flaws because it was reported by the NSA and this is the first time that the US intelligence agency has reported a bug to the tech giant.

The flaw, dubbed ‘NSACrypt’ or ‘CurveBall,’ resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for data encryption.  

The flaw affects the way Crypt32.dll module validates Elliptic Curve Cryptography (ECC) certificates.

In a press release published by the NSA, the agency explains “the certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.”

“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.” reads the security advisory published by Microsoft.

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”

An attacker could exploit the flaw to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

An attacker could also trigger the issue to spoof digital signatures on software tricking the system into believing that it is a legitimate application.

NSA pointed out that the CVE-2020-0601 vulnerability can allow an attacker to:

• launch MitM (man-in-the-middle) attacks and intercept and fake HTTPS connections
• fake signatures for files and emails
• fake signed-executable code launched inside Windows

The researcher Tal Be’ery analyzed the flaw and explained that the issue stems from a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft’s code.

According to a high-level technical analysis of the bug security researcher Tal Be’ery, “the root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft’s code.”

The US DHS CISA agency also issued an emergency directive urging government agencies to address the bug in their systems in ten days.

“CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information.” reads the emergency directive.

Security expert Saleem Rashid first created a proof-of-concept code to fake TLS certificates and allows attackers to set up a site that look-like legitimate ones.

Rashid didn’t publish the exploit code to avoid miscreants using it in the wild. Unfortunately, other experts decided to publicly release the exploit code for the CVE-2020-0601 flaw. Swiss cybersecurity firm Kudelski Security published on GitHub a working exploit for the flaw. Danish security researcher Ollypwn also published an exploit for the CurveBall vulnerability.

The availability online of working exploits for the CVE-2020-0601 vulnerability ensures that threat actors will start exploiting it, for this reason it is essential to patch systems.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CVE-2020-0601, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]