[Zeek] Work-in-progress package to detect CVE-2020-0601

Michał Purzyński michalpurzynski1 at gmail.com
Tue Jan 14 21:51:41 PST 2020 

Thanks a lot!

Can we have that tweeted from the Zeek account?

> On Jan 14, 2020, at 9:23 PM, Aashish Sharma <asharma at lbl.gov> wrote:
> 
> Thanks Johanna - I must say quite timely package. 
> 
>> On Tue, Jan 14, 2020 at 06:42:19PM -0800, Johanna Amann wrote:
>> Hi,
>> 
>> I assume most of you heard of CVE-2020-0601. If not - see the advisory 
>> at 
>> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 
>> and the descriptio nat 
>> https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF.
>> 
>> I have a small work-in-progress Zeek package that should be able to 
>> detect if someone is trying to exploit this in TLS communication, e.g. 
>> when impersonating a server.
>> 
>> The package is available at https://github.com/0xxon/cve-2020-0601; the 
>> script itself is very short and available at 
>> https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-0601.bro.
>> 
>> How does it work
>> ================
>> 
>> From the description above, the attack seems to require curves that are 
>> explicitly-defined to be present in certificates; furthermore the curve 
>> needs to be a non-standard curve. Having an explicitly defined curve in 
>> a certificate is quite unusual - RFC 5480 actually forbids this 
>> specifically.
>> 
>> The script linked above checks if a certificate is an elliptic curve 
>> certificate - and then checks if the curve field was set by Zeek - which 
>> it should always be for named curves. If the curve is not set, a notice 
>> is raised.
>> 
>> Limitations & False positives
>> =============================
>> 
>> Short version: there may be false positives - it should not be many.
>> 
>> If I understand CVE-2020-0601 correctly, this script should always alert 
>> when a suspicious certificate is found in traffic. However, there are a 
>> few cases where it may alert when a certificate is benign.
>> 
>> Specifically, it is possible for a certificate to explicitly define a 
>> well-known curve, instead of just putting the ID of the curve in the 
>> certificate. When this happens, the alert behavior of the script 
>> currently depends on the locally installed version of OpenSSL. Some 
>> versions of OpenSSL convert the curve back to its name - in which case 
>> no alert is raised (which is correct). However, other versions do not do 
>> this - and lead to Zeek leaving the field empty. This will lead to a 
>> notice being raised.
>> 
>> I am not sure why the behavior differs - this seems to depend on 
>> configuration choices of different Linux distributions - and sadly this 
>> seems to not work in a lot of linux distributions. I could not map it to 
>> specific versions of OpenSSL.
>> 
>> The package contains several tests - if the explicit.bro test fails, 
>> your OpenSSL installation does not perform the conversion - which 
>> theoretically lead to false positives.
>> 
>> That being said - in theory, explicit curves should not be used for TLS 
>> communication. Which brings me to…
>> 
>> Feedback
>> ========
>> 
>> If you use this and see it raising a lot of notices, or have other 
>> feedback - please write either here or to me directly.
>> 
>> I am currently working on trying to get the detection better - this will 
>> require making this a binary module that directly calls into OpenSSL to 
>> examine the certificate datastructures.
>> 
>> Johanna
>> 
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

More information about the Zeek mailing list