"Project Vulnerability Detection and Mitigation Report"

UNIT: ICT604

"Project Vulnerability Detection and Mitigation Report"

CVE- Number: CVE-2020-0601

NAME: CryptoAPI spoofing Vulnerability

Name: Jaspreet kaur, Manpreet kaur

Student Number: 33896023, 33906786

Submission Date: 13 October, 2022

Submitted To: Hui Cui

Table of Contents

Question 1. ..4

Question 25

Question 37

References8

Question 1

Describe and explain the vulnerability with a reasonable high level of technical detail in your own words. A copy of a CVE report is not acceptable, and a superficial description will attract low marks. The description must include outcomes of the vulnerability, i.e. what it can be used for, what level of access it provides, and which systems are affected by the vulnerability.

When CVE-2020-0601 functions:

1. It functions while cryptoanalysis is being performed.

2. It is acknowledged as a flaw in the encryption API.

3. An attacker uses it to trick the crypt32.dll and obtain certification validation in Windows 10.

Where this vulnerability is active:

1. Windows 10 is the version of Windows where this vulnerability is active. This vulnerability did not affect earlier versions of Windows.

2. A file or document called crypt32.dll, which is used by Windows to carry out cryptoanalysis operations, is the source of this vulnerability.

3. It executes an authenticode of digital signature, which is utilized by the business to sign applications and goods digitally.

4 Additionally, it checks TLS certificates T.

5. The TLS certificate and digital signatures give Microsoft customers a chain of trust so they can rely on the items as they are coming from a legitimate source.

How this weakness operates

The following three elements make up the EC (Elliptic Curve) Key cryptography analysis for Windows:

1. A curve component, which is a mathematical elliptic curve function.

2. A public key component is an elliptic curve's [x, y] coordinate.

3. A private key component is a sizable number that is kept secret.

Working

A certificate contained in the file's header is supplied to a library function of "crypt32.dll" in order to verify the digital signature for an executable file using a "Microsoft-owned cryptographic key."

The functions perform a match between the public key components of the investigated certificate and Microsoft's root certificates. It yields success if there is a match between them.

The logic of the function develops a flaw as a result of this vulnerability.

Only the public key component is taken into account by the bug; the curve component is ignored.

The success of an EC key with the same public key and a different curve is certified ("accepted as a Microsoft root certificate").

.The curve component, which is a crucial and intricate part of the EC key, any modifications will result in a totally different key.

If exploited, the vulnerability could have the following effects:

This vulnerability can be exploited by creating an EC key that is cryptographically sound and useable and has the same public key component as the Microsoft root certificate.

By performing a multiplication operation on the "private key" and "curve," the "public key" is calculated from them.

Publickey=PrivatekeyCurve

If the private key's value is 1, things get a lot easier because multiplying the curve and private key will result in both the curve and the required faked key.

The public key of one of the "EC certificates" that is mentioned in the "trusted certificate chain" can also be used to create a valid EC key.

Crypt32 can be deceived by using such a key to sign the TLS certificate for a phoney website.

Additionally, the browser will believe it to be a legitimate website.

Question 2

Under the assumption that there is no short-term fix for the vulnerability, describe a method for detecting exploitation of this vulnerability. This part should start with a more general explanation of the approach but must also provide a detailed technical design for it and explain how it can be implemented.

The CVE-2020-0601 vulnerability that affects Windows 10 systems, including server versions, is present in the user mode cryptographic library CRYPT32.DLL (Windows Server 2016 and Windows Server 2019). On the whole, the new version contains five modified existing functions and five new, potentially interesting ones. When multiple new functions are added, as in this instance, it is likely that the previous functions have been changed to take advantage of the new functions. Fortunately, since Microsoft exposes debugging symbols for the majority of Windows components, we can learn a lot by simply looking at the function names.

Lets look at the modified functions names first:

Figure: 1

Despite the fact that the Windows CryptoAPI uses a number of distinct libraries, crypt32.dll contains the vulnerability. The most recent unpatched version of the DLL (10.0.18362.476) and the patched version (10.0.18362.592) can be compared using BinDiff to see minor differences:

Figure: 2

Question 3

Under the assumption that there is no short-term fix for the vulnerability, describe a method for mitigating exploitation based on this vulnerability. This part should start with a more general explanation of the approach but must also provide a detailed technical design for it and explain how it can be implemented.

Mitigation:

A critical flaw that might have allowed an attacker to pretend to be a trustworthy source when issuing a certificate has been fixed by Microsoft in a security update for Windows.

Microsoft received a report of the vulnerability (CVE-2020-0601) from the NSA. The Elliptic Curve Cryptography (ECC) implementation that Microsoft's code used was incorrect, which is the main contributor to this issue.

The vulnerability's primary cause was described in an article by Microsoft's security research manager Tal Be'ery using the analogy of load bearing. That is available here.

Looking at the logs:

When a security vulnerability exploit attempt is discovered in your user-mode application, Windows' CveEventWrite method publishes events. To my understanding, the first application to use this API was the fix for CVE-2020-0601.

When a known vulnerability is attempted to be exploited after the Windows update is installed, the system will generate event ID 1 in the eventlog after each reboot under Windows Logs/Application. The MSRC guideline for this fix provides more information about this event, which is raised by a User mode process (scroll to the bottom of the article to find it).

Figure: 3

ATP for Microsoft Defender:

You will get the detection out of the box if Microsoft Defender ATP is installed throughout your enterprise (which now supports MacOS). When Microsoft provided the update, the logic was also incorporated to MDATP:

Figure: 4

Additionally, the detection will appear in the new Microsoft Threat Protection (MTP) because MDATP has been integrated with the other Microsoft ATP products:

Figure: 5

REFERENCES:

Goet, M., (2022). Detecting CVE-2020-0601 and other attempts to exploit known vulnerabilities using Azure Sentinel. Retrieved from: https://medium.com/wortell/detecting-cve-2020-0601-and-other-attempts-to-exploit-known-vulnerabilities-using-azure-sentinel-652fbcc0364cMicrosoft security Response Center, (2022). January 2020 Security Updates: CVE-2020-0601. Retrieved from: https://msrc-blog.microsoft.com/2020/01/14/january-2020-security-updates-cve-2020-0601/Trend Micro Incorporated, (2022). A Technical Analysis of CurveBall (CVE-2022-0601). Retrieved from: https://www.trendmicro.com/en_us/research/20/b/an-in-depth-technical-analysis-of-curveball-cve-2020-0601.htmlRapid7, (2020). Windows CryproAPI Spoofing Vulnerability (CVE-2020-0601): What You to Know: What is the CryptoAPI Spoofing Vulnerability? Who is impacted?. Retrieved from: https://www.rapid7.com/blog/post/2020/01/16/cve-2020-0601-windows-cryptoapi-spoofing-vulnerability-what-you-need-to-know/

Project Topic Proposal

Submitted to: Group Member names:

Hui Cui Jaspreet kaur (33896023)

Manpreet Kaur (33906786)

CVE- Number: CVE-2020-0601

NAME: CryptoAPI spoofing Vulnerability

Description: All devices running the 32-bit and 64-bit versions of Windows 10 are vulnerable, including Windows Server 2016 and 2019. Because of this flaw, Elliptic Curve Cryptography (ECC) certificate validation might avoid the trust store, allowing undesired or malicious software to pretend to be duly signed by a reputable or reliable entity. This can mislead users or thwart antivirus and other malware detection tools. Moreover, a browser that relies on Windows CryptoAPI would not produce a warning if a fraudulently created certificate was issued for a hostname that did not approve it, which would allow an attacker to decrypt, alter, or inject data on user connections without being noticed.

Detection:

Windows endpoints are exposed to a wide variety of attack vectors due to the vulnerability. According to the NSA, the problem is serious, sophisticated cyber actors would comprehend it fast, and if exploited, it will make the aforementioned platforms fundamentally susceptible. If the vulnerability is not patched, serious and widespread consequences will result. Tools for remote exploitation will probably be released fast and extensively. The only known mitigation at this time is rapid patch adoption, which needs to be every network owner's top priority.

Mitigations: There are few steps to follow to mitigate the system:

CISA strongly advises enterprises to read the Microsoft January 2020 Release Notes page for more information and to install essential updates as soon as possible. Give mission-critical systems, systems that are accessible through the internet and networked servers priority when it comes to patching. The organisations should then give other compromised IT/OT assets first priority for patching.

Review NIST Special Publication 800-40, Third Edition, Guide to Enterprise Patch Management Technologies. The procedure for finding, obtaining, applying, and verifying fixes for systems and products is known as patch management. This guide is intended to help businesses grasp the fundamentals of enterprise patch management systems. It discusses the significance of patch management and looks at the difficulties involved in carrying it out. It gives a summary of enterprise patch management solutions and briefly goes over criteria for gauging the efficiency of the technologies.

Study NIST's Enterprise Patch Management Technologies Guide. Each CISA Insight offers background information on specific cyber threats and the vulnerabilities they exploit, as well as a ready-made list of mitigation measures that non-federal partners can perform. It is based on U.S. cyber intelligence and actual events.

When CVE-2020-0601 works-

It works during the process of cryptoanalysis.

It is disclosed as a vulnerability in the crypto API.

It is used by an attacker to get certification validation in Windows 10 and fool the crypt32.dll.

Where this vulnerability works-

This vulnerability works at Windows OS that is Windows 10. The earlier versions of Windows were not affected by this vulnerability.

This vulnerability comes from a document/file calledcrypt32.dll. crypt32.dllperforms cryptoanalysis tasks for Windows.

It performsan Authenticode ofdigital signature that is used by the company to digitally sign the applications and products.

It also verifiesTLS certificates. T

The TLS certificate and digital signs provide a chain of trust to Microsoft consumers so that they can rely on products as it is coming from a valid vendor.

How this vulnerability works-

The EC (Elliptic Curve) Key cryptographic analysis for Windows contains the following 3 components-

A mathematical elliptic curve function which is called acurve component.

A coordinate [x,y] on an elliptic curve is called apublic key component.

A large number that is kept secret is called aprivate key component.

Working-

To check the digital signature for an executable file by a "Microsoft-owned cryptographic key", certificate included in the header of the file is passed to a library function of"crypt32.dll".

The functions perform a match betweenMicrosoft's root certificates' public key component and public key component of the examined certificate. If any match exists between them, then it returns success.

This vulnerability creates abug in the logicof the function.

The bug does not take into consideration the curve component and only considers the public key component.

An EC key with the same public key and a varying curve is certified as the success ("accepted as a Microsoft root certificate").

The curve component is an essential and complex component of the EC key. Any changes in it will generate a completely different key.

Potential impacts of the vulnerability if it is exploited-

This vulnerability can be exploited by crafting a cryptographically correct and usable EC key who contains the same public key component as of Microsoft root certificate.

The "public key"is computed from the "private key"and "curve"by applying a multiplication operation between the two.

Publickey=PrivatekeyCurve

If the value of the private key is 1, then the things become much simpler because multiplication of curve and private key will return the curve and the desiredspoofed keywill be produced.

Similarly, a valid EC key crafting can be done by using the public key same as one of the"EC certificates"which are listed in the"trusted certificate chain".

Then, the use of such a key to sign a fake website's TLS certificate will be able to fool crypt32.

The browser will also be trusting it to be an authentic website.

Thus, it is exploited then malicious user can fool the users with a malicious website. The malicious user can also get a trusted certificate for the malicious applications and products and then can use them to fool the user and to execute malicious activities.