Shulou(Shulou.com)05/31 Report--

Windows exposes the serious security vulnerability CVE-2020-0601 of CryptoAPI certificate verification. In view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

The Window system has exposed a serious security vulnerability that prevents CryptoAPI from correctly verifying elliptic curve (ECC) cryptographic certificates, which can be used by attackers to deceive the certificate trust chain. Microsoft released a major software update yesterday to fix the vulnerability. NSA Sync also issued a security upgrade announcement, which NSA assessed as a serious vulnerability.

The vulnerability is encoded as CVE-2020-0601 and affects all Microsoft Windows version encryption features. This vulnerability will invalidate the certificate trust system of encrypted authentication verified by Windows certificates and be exploited to execute remote code.

Overview of vulnerabilities

The CVE-2020-0601 vulnerability lies in CryptoAPI, the encryption component of Window. CryptoAPI is a Windows security service application program interface provided by Microsoft to developers, which can be used for encrypted applications to realize the functions of data encryption, decryption, signature and verification.

The Microsoft Windows CryptoAPI provided by Crypt32.dll failed to properly verify the trust chain of the ECC certificate. An attacker can use this vulnerability to forge a trusted root certificate to issue a certificate. The CertGetCertificateChain () function in Crypt32.dll is used to verify the validity of X.509 and traces to the certificate issued by the trusted root CA. Due to vulnerabilities in the function, certificates, including third-party non-Microsoft root certificates, cannot be verified correctly.

Vulnerability impact

Microsoft Windows versions of certificates that support the use of ECC keys with specified parameters are affected. Includes Windows 10 and Windows Server 2016 and 2019. Windows 8.1 and earlier and Server 2012 R2 and earlier do not support ECC keys with parameters. As a result, earlier versions of Windows directly distrust such certificates that attempt to exploit this vulnerability and are not affected by the vulnerability.

Using this vulnerability, an attacker can bypass Windows's authentication trust system, break trusted network connections and deliver executable code. Some examples that may affect trust include, but are not limited to, HTTPS connections, file signatures and e-mail signatures, and signature executables launched in user mode.

Because of the vulnerability, the Windows terminal will face the risk of extensive media attacks. If exploited, the platform will be fundamentally vulnerable. If the vulnerability is not repaired in time, the result may be a serious risk.

Mitigation measures

Updating the patch in time is the only known mitigation measure, and it is recommended that you upgrade immediately. NSA recommends that all patches (portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601) for Tuesday, January 2020 be installed as soon as possible to effectively mitigate vulnerabilities on all Windows 10 and Windows Server 2016and2019 systems.

If a full range of automatic upgrade patches are not available, it is recommended that system owners give priority to hosts that provide basic and critical applications, such as:

Windows-based Web devices, Web servers or perform TLS authentication agents.

Host for critical infrastructure: domain controller, DNS server, update server, VPN server, IPSec negotiation terminal.

Priority should also be given to endpoints with high utilization risks. Including: hosts directly exposed to the Internet. Hosts often used by privileged users, such as operation and maintenance machines, fortress machines, etc.

The administrator should upgrade these hosts in a timely manner and perform patches. It is recommended that patches be applied to all affected hosts as much as possible, rather than giving priority to specific categories of hosts. In addition to installing patches, other measures can be taken to protect the host. Network device and host logging features may block or detect some exploits, but patches for all platform upgrades are the most effective mitigation.

Network Prevention and Certificate Detection

Some enterprises carry traffic through proxy devices that perform TLS checks but do not use Windows for certificate verification. These devices can help isolate vulnerable endpoints behind agents.

Properly configured and managed TLS inspection agents can independently validate TLS certificates from external entities and reject invalid or untrusted certificates, thereby protecting hosts from certificates that attempt to exploit vulnerabilities.

Ensure that certificate verification is enabled for the TLS agent to limit exposure to such vulnerabilities and view logs for signs of exploitation.

You can use packet capture analysis tools, such as Wireshark, to parse and extract certificates from network protocol data for other analysis. We can use security applications such as OpenSSL and Windows certutil to analyze in depth to check for malicious properties of certificates.

Verify X509 certificate

Certutil checks the X509 certificate:

Certutil-asn

OpenSSL checks the X509 certificate:

Openssl asn1parse-inform DER-in-I-dump

Or

Openssl x509-inform DER-in-text

This command parses and displays the ASN.1 object in the specified DER-encoded certificate file.

Verify Elliptic Curve Certificate

Looking at the results of an elliptic curve object with suspicious attributes, an elliptic curve certificate with an explicit elliptic OID value can be judged to be benign. For example, the curve OID value of the standard curve nistP384 is 1.3.132.0.34. Certificates with well-defined parameters (for example, prime number, aforme b, cardinality, degree, and cofactor) that exactly match the standard curve can also be considered benign certificates.

Certutil can be used to list registered elliptic curves and view their parameter commands by running the following command:

Ocertutil-displayEccCurve

Ocertutil-displayEccCurve

The corresponding OpenSSL is available:

Openssl ecparam-list_curves

Openssl ecparam-name-param_enc explicit-text

Explicit text certificates that contain explicitly defined elliptic curve parameters that match only part of the standard curve are suspicious, especially if they include the public key of a trusted certificate and may indicate a good faith attempt.

This is the answer to the question about how Windows exposed the serious security loophole CVE-2020-0601 in CryptoAPI certificate verification. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.