Blocking A CurveBall: PoCs Out for Critical Microsoft-NSA Bug CVE-2020-0601

Security researchers have released proof-of-concept (PoC) codes for exploiting CurveBall (CVE-2020-0601), the first bug that the National Security Agency (NSA) reported. Included in this year’s first cycle of Patch Tuesday updates, the vulnerability affects Windows operating systems’ CryptoAPI’s validation of Elliptic Curve Cryptography (ECC) certificates and Public Key Infrastructure (PKI) trust. Enterprises and users are advised to patch their systems immediately to prevent attacks that exploit this security flaw.

The PoCs for CurveBall, released by researchers Saleem Rashid, Kudelski Security, and Ollypwn, show how it can affect one of the cryptographic implementations of the Windows CryptoAPI (Crypt32.dll) library’s functionality to the OS and applications. The researchers noted this vulnerability’s potentially high impact, because any software that relies on the Windows CertGetCertificateChain() function to determine an ECC X.509 certificate’s validity may incorrectly determine the trustworthiness of a malicious certificate chain (including non-Microsoft third-party ones). Microsoft versions that are affected by CurveBall and support certificates with ECC keys include Windows 10, and Windows Servers 2016 and 2019.

[Read: Security 101: Zero-day vulnerabilities and exploits]

Once exploited, an attacker may spoof the ECC’s validity for files, applications, network connections, emails and executables, making a file appear to come from a trusted and legitimate provider. The spoofed validity enables attacks and access to decrypt confidential information on user connections, conduct man-in-the-middle attacks, and remote exploitation, among other risks.

As Microsoft noted in their security advisory, exploitation of the flaw is likely, especially given that public demo codes are available. NSA also noted in their cybersecurity advisory that the patches available are simply for mitigation purposes only, though some researchers have already noted that an update to Windows Defender have already been released to detect active exploit attempts to warn users. Users are advised to download the patches as soon as possible.

Trend Micro solutions

Trend Micro users and customers are protected from the exploitation of CurveBall with the following rules:

• Deep Security and Vulnerability Protection Rule 1010130 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
• Deep Security and Vulnerability Protection Rule 1010132 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) -1
• Apex One Vulnerability Protection (iVP) Rule 1010130 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
• TippingPoint Filter 36956: HTTP: Microsoft Windows CryptoAPI Spoofing Vulnerability
• TippingPoint DVToolkit CSW Filter C1000001: SSL: Elliptic Curve with Explicit Curve Parameters
• Deep Security Log Inspection Rule 1010129 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
• Deep Discovery Inspector (DDI) Rule 3202 – CVE-2020-0601 Spoofed Certificate Attempt – TLS – Beta
• Trend Micro Microsoft Windows CryptoAPI Spoofing Vulnerability Assessment Tool (SHA256: 11e6b2e96e4e10c00b137aa1c362ac6ac7e65751948bd1f4ef2e34312da8dac0)

More detailed information on these Trend Micro solutions are available in the Business Support page.

Updated on January 21, 2020, 9:00AM PDT to include additional TippingPoint and Deep Security and Vulnerability Protection Rule.