[Zeek] Work-in-progress package to detect CVE-2020-0601

Aashish Sharma asharma at lbl.gov
Tue Jan 14 21:13:49 PST 2020

Thanks Johanna - I must say quite timely package. 

On Tue, Jan 14, 2020 at 06:42:19PM -0800, Johanna Amann wrote:
> Hi,
> I assume most of you heard of CVE-2020-0601. If not - see the advisory 
> at 
> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 
> and the descriptio nat 
> https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF.
> I have a small work-in-progress Zeek package that should be able to 
> detect if someone is trying to exploit this in TLS communication, e.g. 
> when impersonating a server.
> The package is available at https://github.com/0xxon/cve-2020-0601; the 
> script itself is very short and available at 
> https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-0601.bro.
> How does it work
> ================
>  From the description above, the attack seems to require curves that are 
> explicitly-defined to be present in certificates; furthermore the curve 
> needs to be a non-standard curve. Having an explicitly defined curve in 
> a certificate is quite unusual - RFC 5480 actually forbids this 
> specifically.
> The script linked above checks if a certificate is an elliptic curve 
> certificate - and then checks if the curve field was set by Zeek - which 
> it should always be for named curves. If the curve is not set, a notice 
> is raised.
> Limitations & False positives
> =============================
> Short version: there may be false positives - it should not be many.
> If I understand CVE-2020-0601 correctly, this script should always alert 
> when a suspicious certificate is found in traffic. However, there are a 
> few cases where it may alert when a certificate is benign.
> Specifically, it is possible for a certificate to explicitly define a 
> well-known curve, instead of just putting the ID of the curve in the 
> certificate. When this happens, the alert behavior of the script 
> currently depends on the locally installed version of OpenSSL. Some 
> versions of OpenSSL convert the curve back to its name - in which case 
> no alert is raised (which is correct). However, other versions do not do 
> this - and lead to Zeek leaving the field empty. This will lead to a 
> notice being raised.
> I am not sure why the behavior differs - this seems to depend on 
> configuration choices of different Linux distributions - and sadly this 
> seems to not work in a lot of linux distributions. I could not map it to 
> specific versions of OpenSSL.
> The package contains several tests - if the explicit.bro test fails, 
> your OpenSSL installation does not perform the conversion - which 
> theoretically lead to false positives.
> That being said - in theory, explicit curves should not be used for TLS 
> communication. Which brings me to…
> Feedback
> ========
> If you use this and see it raising a lot of notices, or have other 
> feedback - please write either here or to me directly.
> I am currently working on trying to get the detection better - this will 
> require making this a binary module that directly calls into OpenSSL to 
> examine the certificate datastructures.
> Johanna
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

More information about the Zeek mailing list