[Bro] X.509 extensions can be used for covert channel data transfer and C2

Johanna Amann johanna at icir.org
Thu Feb 8 07:12:49 PST 2018

Hi Andy,

> Has anyone looked at this research
> https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities
> with a view to creating a Bro detection?

Doing what they recommend in Bro is not a problem at all; Bro raises an
event for all X.509 extensions
and you can just check the length there.

Bro also can perform validation of all certificates, which is the second
remedy that they proposed.

However, please note that just thinking about this for 30 seconds, I can
think of at least 3 other ways to hide data in TLS handshakes that this
would not catch (and that they did not talk about), some of them easier to
implement for an attacker than this.

Plus - if you can establish a TLS connection without there being a DLP
device in the middle you could always just send the data after encryption
kicks in.


More information about the Bro mailing list