FacebookTwitterLinkedIn

Proof-Of-Concept Code for Curveball Released

It seems like the start of the year is not complete without a new and dangerous vulnerability been disclosed to the public. Last year it was the Spectre and Meltdown CPU vulnerabilities. This year the new threat is posed by CVE-2020-0601, better known as Curveball. The vulnerability is described as a spoofing vulnerability that exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. According to Windows, this vulnerability could allow an attacker to,

“…exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.”

The vulnerability description reads like Latin to most and for those more technically inclined cyber-security researcher Tal Be'ery published a high-level analysis of the vulnerability. What is of particular interest is who disclosed the vulnerability to Windows. The US National Security Agency (NSA), often criticized for being an enemy of cybersecurity with such criticisms only escalating when EternalBlue was stolen and leaked from the NSA, were the body who disclosed the vulnerability.

proof-of-concept code for curveball

Given that this is the first time the NSA has disclosed a vulnerability, skeptics have questioned whether this is an attempt to turn over a new leaf with the InfoSec community. Regardless, the severity of the vulnerability is not in doubt. The DHS described the Curveball as,

“The vulnerability in ECC certificate validation affects Windows 10, Server 2016, and Server 2019. It bypasses the trust store, allowing unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization, which may deceive users or thwart malware detection methods like anti-virus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows’ CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.”

Both the NSA and the Department of Homeland Security (DHS) issued alerts concerning the vulnerability. The DHS went further in demanding that all government agencies apply the recently released patch as part of the first Microsoft Patch Tuesday of the year. According to both government agencies, successful exploitation of the bug will allow attackers to perform a man in the middle attacks as well as intercept and fake HTTPS connections. This is over and above being able to fake signatures whether for emails, files, and executables within Windows. The seriousness of the vulnerability has also been confirmed by Kenneth White and Thomas Ptacek who further noted that fortunately, attackers would not be able to fake Windows updates.

Proof-of-Concept Code Exists

Since the disclosure, many researchers have been rushing to release proof-of-concept (PoC) code proving the vulnerability can indeed be exploited in the wild. Researchers noted that it may only be a matter of days and this prediction seems to be correct. The first researcher to prove the vulnerability was indeed exploitable was Saleem Rashid who developed a PoC code that permitted the faking of TLS certificates. The faking of TLS certificates can allow hackers to create fake websites that not only look like the real deal but will also have a certificate that says it is indeed legitimate. Rashid did not post his code, rather posted a Twitter post proving what he had done.

The first to actually publish code was Kudelski Security followed in close second by a Danish researcher Ollypwn. Now with publically available code exploitation in the wild by malicious actors is most certainly a definite. Fortunately, there is some good news to report, especially for those who have yet to update and install Tuesday’s official patches. Windows Defender has received updates to at least detect active exploitation attempts and warn users. According to Microsoft, this vulnerability impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions. It is advised to apply the most recent patches as soon as possible.

It is not often that the NSA issues an alert so if administrators are not willing to believe the media hype perhaps they might believe the danger posed from an organization seemingly tasked with cyber espionage operations. The alert provides mitigation advice to administrators stating that all relevant patches be installed and if patching is to take a number of day Windows-based web appliances, web servers, or proxies that perform TLS validation be prioritized. Next on that list are end-points that connect to the Internet and end-points with increased privileges. These are believed to high-value targets for exploitation. Further, the NSA advises that,

“Administrators should be prepared to conduct remediation activities since unpatched endpoints may be compromised. Applying patches to all affected endpoints is recommended, when possible, over prioritizing specific classes of endpoints. Other actions can be taken to protect endpoints in addition to installing patches. Network devices and endpoint logging features may prevent or detect some methods of exploitation, but installing all patches is the most effective mitigation.”

It is hoped that despite notoriously bad levels of patching across enterprises and private individuals that this round of patch Tuesday is installed with very little fuss. Given the level of prompting by two government authorities, one issuing a directive to other government organizations, administrators have noted the potential threat posed by the vulnerability.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal