Security researchers have released proof-of-concept (PoC) codes for exploiting CurveBall (CVE-2020-0601), the first bug that the National Security Agency (NSA) reported. Included in this year’s first cycle of Patch Tuesday updates, the vulnerability affects Windows operating systems’ CryptoAPI’s validation of Elliptic Curve Cryptography (ECC) certificates and Public Key Infrastructure (PKI) trust. Enterprises and users are advised to patch their systems immediately to prevent attacks that exploit this security flaw.
The PoCs for CurveBall, released by researchers Saleem Rashid, Kudelski Security, and Ollypwn, show how it can affect one of the cryptographic implementations of the Windows CryptoAPI (Crypt32.dll) library’s functionality to the OS and applications. The researchers noted this vulnerability’s potentially high impact, because any software that relies on the Windows CertGetCertificateChain() function to determine an ECC X.509 certificate’s validity may incorrectly determine the trustworthiness of a malicious certificate chain (including non-Microsoft third-party ones). Microsoft versions that are affected by CurveBall and support certificates with ECC keys include Windows 10, and Windows Servers 2016 and 2019.
Once exploited, an attacker may spoof the ECC’s validity for files, applications, network connections, emails and executables, making a file appear to come from a trusted and legitimate provider. The spoofed validity enables attacks and access to decrypt confidential information on user connections, conduct man-in-the-middle attacks, and remote exploitation, among other risks.
As Microsoft noted in their security advisory, exploitation of the flaw is likely, especially given that public demo codes are available. NSA also noted in their cybersecurity advisory that the patches available are simply for mitigation purposes only, though some researchers have already noted that an update to Windows Defender have already been released to detect active exploit attempts to warn users. Users are advised to download the patches as soon as possible.
Trend Micro solutions
Trend Micro users and customers are protected from the exploitation of CurveBall with the following rules: