Proof-of-concept exploits published for the Microsoft-NSA crypto bug
Security researchers have published earlier today proof-of-concept (PoC) code for exploiting a recently-patched vulnerability in the Windows operating system, a vulnerability that has been reported to Microsoft by the US National Security Agency (NSA).
The bug, which some have started calling CurveBall, impacts CryptoAPI (Crypt32.dll), the component that handles cryptographic operations in the Windows OS.
According to a high-level technical analysis of the bug from cyber-security researcher Tal Be’ery, “the root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft’s code.”
According to both the NSA, the DHS, and Microsoft, when exploited, this bug (tracked as CVE-2020-0601) can allow an attacker to:
- launch MitM (man-in-the-middle) attacks and intercept and fake HTTPS connections
- fake signatures for files and emails
- fake signed-executable code launched inside Windows
Experts: “seriously, seriously bad”
Speaking on Twitter, Acting Homeland Security Advisor Rob Joyce described the bug as “seriously, seriously bad.”
US authorities reacted to the vulnerability very openly and proactively. The NSA released a rare security alert about the bug, and the DHS’ CISA department issued an emergency directive, giving government agencies ten days to patch systems by applying the January 2020 Microsoft Patch Tuesday updates.
This is the first time the NSA reported a bug to Microsoft. One might say the agency is on a press tour to improve its image in the cyber-security community after the EternalBlue and Shadow Brokers disasters, when NSA-developed hacking tools were leaked online and used for some of the biggest malware infections and cyber-attacks known to date.
However, the vulnerability’s severity cannot be downplayed by the NSA’s attempt to “turn a new leaf” with the infosec community.
Astute and experienced security experts and cryptographers like Thomas Ptacek and Kenneth White have confirmed the vulnerability’s severity and wide impact — although it does not impact the Windows Update mechanism, which would have allowed a threat actor to fake Windows updates.
PoC exploits released online
In a blog post on Tuesday, White said he was aware that some people were days away from coming up with a working exploit for the CurveBall vulnerability.
The first one to come up with one was Saleem Rashid, who created a proof-of-concept code to fake TLS certificates and allow sites to pose as legitimate ones.
Rashid didn’t publish his code, but others did, hours later. The first public CurveBall exploit came from Kudelski Security, followed by a second one from a Danish security researcher going by the name of Ollypwn.
In its official security advisory for CVE-2020-0601, Microsoft described the chance of threat actors exploit the bug as “more likely.” With public demo code available, the chances of exploitation are now also ensured.
The good news in all of this is that even if users haven’t had the time to schedule time to install the patches, Windows Defender has received updates to at least detect active exploitation attempts and warn users. According to Microsoft, this vulnerability impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions.