The release of Microsoft Patch Tuesday updates for January 2020 brought to light a critical vulnerability in Microsoft Windows CryptoAPI. Reported by National Security Agency, the national level intelligence agency of USA, CVE-2020-0601 is a spoofing vulnerability in Windows systems, the exploitation of which could have widespread consequences.
Microsoft explains that this spoofing vulnerability in Windows CryptoAPI exists due to improper validation of Elliptic Curve Cryptography (ECC) certificates. The flawed component
crypt32.dll was added to Windows systems about twenty years ago.
CryptographicApplication Programming Interface (or CryptoAPI) helps developers secure Windows-based applications using cryptographic techniques. CryptoAPI provides the functionality for encryption and decryption in authentication mechanisms using digital certificates.
With the ever changing situations in information security and increasing complexity in hacking attempts, researchers are under constant pressure to come up with new methods to stay ahead of those with ill intentions. In recent years, Elliptic Curve Cryptography (ECC) has become a mainstream primitive for cryptographic protocols and applications. ECC certificates are based on Elliptic Curve Cryptography, an encryption algorithm which relies on discovering the discrete logarithm of a random elliptic curve. ECC is known to provide stronger security and increased performance with shorter key lengths. The major browsers such as Chrome, Firefox, Internet Explorer and Safari, webservers such as Apache HTTP, Nginx, Apache Tomcat, operating systems such as Microsoft Windows, Apple Mac OS, Red Hat Enterprise Linux, etc are all known to be compatible with ECC.
The vulnerability specifically lies in how Windows verifies cryptographic trust. The flaw is in the way the certificates are loaded when explicit curve parameters are specified in the provided certificates. Multiple PoCs (1, 2) have been released for this vulnerability showing that a private key can be crafted for an existing certificate by using a generator different from the standard one and setting it with the explicit curve parameters. The CryptoAPI gets tricked into matching the certificates in the cache and the generated non-standard ones.
An existing certificate has a public key, ‘Pk‘ and a private key ‘k’ with generator ‘G’.
k.G = Pk
Consider a random variable ‘x’, then, for a different generator G’,
G' = x-1.Pk
This newly crafted secret key is valid for public key Pk with generator G’.
x.x-1.Pk = 1.Pk = Pk.
This bug exploits
crypt32.dll signature verification on the elliptic curve.
crypt32.dll is only known to check for a matching public key and parameters, but not the generator G. The Windows CryptoAPI can thus be made to believe that this is the right private key. The exploitation of this certificate validation vulnerability allows an attacker to bypass trusted network connections and deliver executable code which is featured as a legitimate and trusted file.
NSA explains that the exploits could be carried out in real world scenarios involving HTTPS connections, signed files, and emails, user-mode processes launching signed executable code, etc. An attacker can also conduct man-in-the-middle attacks and gain access to confidential information on user connections.
- Windows 10
- Windows Server 2016
- Windows Server 2019
An attacker can sign malevolent executables using spoofed code-signing certificates and run them on the target machine.
Microsoft has released updates to fix the underlying vulnerability in Windows Systems. While it is advised to install the updates without further delay on all affected systems, endpoints that are directly exposed to the internet and those in use by privileged personnel need immediate attention in terms of patching. Endpoints hosting critical infrastructure or running Windows-based web appliances, web servers, or proxies that perform TLS validation would also be top attack surfaces and require prompt action.