Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Windows CryptoAPI Spoofing Vulnerability - CVE-2020-0601

One of the most notable vulnerabilities patched during Microsoft's first Patch Tuesday of 2020 was a spoofing vulnerability in the Windows CryptoAPI. This has been issued CVE-2020-0601 and has also been referred to as the "Curveball" or "Chain of Fools" vulnerability.

The root of the vulnerability is in how Windows handles and validates Public encryption keys using specific ECC (Elliptic Curve Cryptography) algorithms. An ECC key has two parts to it; the actual bytes that define the encryption key itself and then metadata in the form of ECC parameters. When Windows validates these keys, it only does so by checking the key bytes and not the parameters. This would allow an attacker to generate a false key that would be validated as long as the key bytes match (even if the parameters do not). This vulnerability was introduced in Windows 10 since, before that, Windows didn't support ECC parameters.

Using a spoofed certificate could allow an attacker to spoof a valid encryption certificate and pretend to be to the valid organization. Typically an attacker would spoof a CA certificate. A CA stands for Certificate Authority and is a trusted root certificate that verifies and signs the certificates used for actual encryption. If your software or operating system trusts the CA, then it will trust all certificates that the CA has "signed" as trustworthy.

With a fake CA certificate, an attacker could generate and sign any certificate they want, and it would be trusted as authentic. For instance, an attacker could use a spoofed CA certificate to create certificates for your banking website or favorite e-commerce shop. If they could then convince you to visit their fake website, it would still appear to be valid by your webserver. In another attack vector, an attacker could play a man-in-the-middle attack if they have a presence on either the server or client's network. When the victim attempts to establish an encrypted connection with a website, the attacker intercepts the connection and presents the victim with their spoofed certificate instead. This would allow the attacker to decrypt all communication between the victim and the website.

Finally, the attacker could also use a spoofed certificate to sign software. Vendors often digitally sign their software so that users (via an automatic process in the Operating System) will know that the software they are executing actually came from the vendor that wrote it and not some rogue actor. With a spoofed certificate, an attacker could sign their malware and pass it off as valid software from a specific vendor.

In addition to the native patch now available from Microsoft, the Google Chrome web browser has been updated to flag these invalid certificates, while Mozilla's Firefox already had protections to prevent acceptance of these types of spoofed certificates.

Trustwave Secure Web Gateway (SWG) customers are protected "out of the box" against these types of attacks. Since SWG is not vulnerable to this issue, it will correctly validate certificates and reject those that are spoofed.

Note that there are two policies that pertain to SWG’s behavior with certificates: HTTPS policy, which controls whether or not SWG will allow establishing a connection with a website with an invalid certificate. The second policy is the digital certificate validation rule within the security policy, which tells SWG how to react to files signed with invalid certificates. The default policy is to reject invalid certificates, but customers may want to verify that these defaults have not been modified.

Additionally, Customers of Trustwave Security Testing Services will be able to verify if their systems have been appropriately patched against these attacks.

For more information, please refer to Microsoft's write up here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/cve-2020-0601

About the Author

Karl Sigler is Security Research Manager, SpiderLabs Threat Intelligence at Trustwave. Karl is a 20- year infosec veteran responsible for research and analysis of current vulnerabilities, malware and threat trends at Trustwave. Follow Karl on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo