Saleem Rashid shows that a patch for a security bug in Windows 10 and Windows Server 2016/2019 could be exploited in the real world to spoof security certificates on machines without the patch.
This week Microsoft was forced to quickly patch a security bug in Windows 10 and Windows Server 2016/2019 that could have allowed attackers to spoof legitimate security certificates as a way of gaining control of an infected PC. Microsoft was prompted to act after the NSA discovered and privately reported the bug, which was evidence of a serious flaw in the way the latest versions of Windows and Windows Server check the validity of certain security certificates.
Releasing the fix on January 14 as part of its monthly Patch Tuesday lineup, Microsoft labeled the patch an “Important” update rather than a “Critical” update, presumably because the company said it hadn’t found any real-world examples in which the vulnerability had been exploited.
But now, a security researcher has shown just how the flaw could be exploited in the real world.
In a tweet on Wednesday researcher Saleem Rashid, showed images of his exploit of the bug in Google Chrome and Microsoft Edge. The images show Rashid using a process known as “rickrolling,” which creates a link to a supposedly legitimate website but actually redirects the user to a music video of the song “Never Gonna Give You Up” by singer Rick Astley. The process is used to show how someone can be tricked into clicking on a link that leads to somewhere unexpected and potentially malicious.
The Windows vulnerability, which has been labeled CVE-2020-0601, would allow someone to spoof a legitimate security certificate, which could then make a malicious site appear as trusted due to the phony certificate. Specifically, the vulnerability is the result of a flaw in the Elliptic Curve Cryptography (ECC) Microsoft used in its code for Windows 10 and Windows Server 2016 and 2019.
In his testing, Rashid was able to take advantage of the vulnerability by cooking up code to create phony security certificates as a way to spoof the secure and verified websites of Github and the National Security Agency. Without Microsoft’s patch, the vulnerability can be exploited in Chrome, Edge, and Internet Explorer, but seemingly not Firefox.
A spokeperson for Google confirmed that Chrome users are protected with the latest Microsoft patch but that Google is rolling out an update to its browser to further secure it.
“What Saleem just demonstrated is: With [a short] script you can generate a cert for any website, and it’s fully trusted on IE and Edge with just the default settings for Windows,” Kenn White, a researcher and security principal at MongoDB, told Ars Technica. “That’s fairly horrifying. It affects VPN gateways, VoIP, basically anything that uses network communications.”
If exploited, the bug can let an attacker perform Man-in-the-Middle attacks, intercept and spoof HTTPS connections, fake signatures for files and emails, and fake signed executable code launched inside Windows.
So far, Rashid has not published the code he used to exploit the flaw. However, others have jumped on that bandwagon. Security firm Kudelski Security has published the code via GitHub, while a Danish security researcher named Ollypwn did the same. In a blog post, Kudelski Security explained why it released the code publicly and how it would work to exploit the vulnerability.
Alarming Windows 10 ‘Curveball’ Crypto Security Threat Just Got Very Real Indeed
Exploit code for the Windows 10 “curveball” crypto vulnerability the U.S. Government warned about has now surfaced. That’s real bad news for 900 million users.
The Windows 10 CryptoAPI vulnerability reported by the NSA gets named “curveball”
Three days is a long time in cybersecurity. It was only three days ago that I wrote an article “New Windows 10 ‘Extraordinarily Serious’ Security Warning For 900 Million Users,” that predicted the monthly Microsoft Patch Tuesday update would reveal one of the more severe vulnerabilities to hit the operating system for some time. In the less than 72 hours that have followed, Anne Neuberger, director of the National Security Agency (NSA) Cybersecurity Directorate, confirmed the NSA itself had reported the flaw which “makes trust vulnerable.” Within hours of that announcement, Microsoft released the Patch Tuesday updates and disclosed CVE-2020-0601, a Windows CryptoAPI spoofing vulnerability which some are now calling “curveball.”
CISA issues emergency directive but some security professionals remain unimpressed
The implications were thought serious enough to persuade the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive recommending the immediate patching of Windows 10. Then the inevitable backlash started, with some security professionals taking to social media to dismiss the vulnerability as being not all that. Indeed, I had conversations with well-respected members of the infosec community who warned me not to indulge the NSA in this exercise of hyperbole; that the vulnerability was far from critical in nature and would be difficult to exploit. The overall picture that was being painted can be summed up as “nothing to see here; please move along.”
Curveball proof of concept exploit code has now surfaced
There is, however, plenty to see already. By stitching together the known technical detail that was disclosed by Microsoft, the Computer Emergency Response Team (CERT), and the NSA, researchers started to produce proof of concept (POC) exploits. Saleem Rashid was able to exploit the curveball vulnerability to Rickroll both the NSA.gov and Github websites to play video of Rick Astley singing Never Gonna Give You Up. Saleem didn’t publish his exploit code, but it didn’t take long before more POC exploits appeared online, nonetheless. Kudelski Security researchers, having determined that “it might be possible to craft certificates using Elliptic Curve Cryptography (ECC) and explicit parameters that do not fully match a standard curve,” produced a POC exploit and a test to determine if a user is vulnerable.
Difficult for script kiddies but relatively easy for determined attackers
The good news is that Microsoft Windows Defender has been updated to detect certificates attempting to exploit certification validity, and Kudelski Security said that the curveball vulnerability is not “at risk of being exploited by script kiddies or ransomware.” However, Kudelski also warned that exploits are in the wild, and nation-state adversaries would have the capability needed to “own the network” and pull off an attack.
The MF’er attack scenario
Yes, this remains an attack scenario that requires a certain level of skill and determination. But that doesn’t mean it can be ignored. Man-in-the-middle attacks, or MF’er attack to be less gender-biased about the terminology, are challenging to carry out, but that doesn’t stop them from happening. A lot. Not that an MF’er attack would have to be in place to exploit curveball; it could be achieved by social engineering. Directing a victim to an ECC-signed root certificate site to ensure it is cached on the target system and then implementing a malicious clicking strategy could be enough.
You know what to do: update Windows 10, Windows Server 2016 and Windows Server 2019 ASAP
If three days is a long time in cybersecurity, a week or two is an absolute era as far as threat actors are concerned. It is only a matter of time, and I imagine not that much of it before I find myself reporting on a real-world curveball attack. So, please, listen to the advice and ensure that your Windows 10, Windows Server 2019 and Windows Server 2016 systems are patched with the utmost urgency.