Security researchers have published two proof-of-concept (PoC) code exploits for the recently-patched CVE-2020-0601 vulnerability that has been reported to Microsoft by the US National Security Agency (NSA).
Microsoft Patch Tuesday updates for January 2020 address a total of 49 vulnerabilities in various products, including a serious flaw, tracked as CVE-2020-0601, in the core cryptographic component of Windows 10, Server 2016 and 2019 editions.
The CVE-2020-0601 flaw is different from any other previously addressed flaws because it was reported by the NSA and this is the first time that the US intelligence agency has reported a bug to the tech giant.
The flaw, dubbed ‘NSACrypt’ or ‘CurveBall,’ resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for data encryption.
The flaw affects the way Crypt32.dll module validates Elliptic Curve Cryptography (ECC) certificates.
In a press release published by the NSA, the agency explains “the certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.”
“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.” reads the security advisory published by Microsoft.
“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”
An attacker could exploit the flaw to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
An attacker could also trigger the issue to spoof digital signatures on software tricking the system into believing that it is a legitimate application.
NSA pointed out that the CVE-2020-0601
According to a high-level technical analysis of the bug security researcher Tal Be’ery, “the root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft’s code.”
The US DHS CISA agency also issued an emergency directive urging government agencies to address the bug in their systems in ten days.
“CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being
Security expert Saleem Rashid first created a proof-of-concept code to fake TLS certificates and allows attackers to set up a site that look-like legitimate ones.
Rashid didn’t publish the exploit code to avoid miscreants using it in the wild. Unfortunately, other experts decided to publicly release the exploit code for the CVE-2020-0601 flaw. Swiss
The availability online of working