Exploit code for the Windows 10 “curveball” crypto vulnerability has surfaced
Toronto Star via Getty Images
Exploit code for the Windows 10 “curveball” crypto vulnerability the U.S. Government warned about has now surfaced. That’s real bad news for 900 million users.
The Windows 10 CryptoAPI vulnerability reported by the NSA gets named “curveball”
Three days is a long time in cybersecurity. It was only three days ago that I wrote an article “New Windows 10 ‘Extraordinarily Serious’ Security Warning For 900 Million Users,” that predicted the monthly Microsoft Patch Tuesday update would reveal one of the more severe vulnerabilities to hit the operating system for some time. In the less than 72 hours that have followed, Anne Neuberger, director of the National Security Agency (NSA) Cybersecurity Directorate, confirmed the NSA itself had reported the flaw which “makes trust vulnerable.” Within hours of that announcement, Microsoft released the Patch Tuesday updates and disclosed CVE-2020-0601, a Windows CryptoAPI spoofing vulnerability which some are now calling “curveball.”
CISA issues emergency directive but some security professionals remain unimpressed
The implications were thought serious enough to persuade the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive recommending the immediate patching of Windows 10. Then the inevitable backlash started, with some security professionals taking to social media to dismiss the vulnerability as being not all that. Indeed, I had conversations with well-respected members of the infosec community who warned me not to indulge the NSA in this exercise of hyperbole; that the vulnerability was far from critical in nature and would be difficult to exploit. The overall picture that was being painted can be summed up as “nothing to see here; please move along.”
Curveball proof of concept exploit code has now surfaced
There is, however, plenty to see already. By stitching together the known technical detail that was disclosed by Microsoft, the Computer Emergency Response Team (CERT), and the NSA, researchers started to produce proof of concept (POC) exploits. Saleem Rashid was able to exploit the curveball vulnerability to Rickroll both the NSA.gov and Github websites to play video of Rick Astley singing Never Gonna Give You Up. Saleem didn’t publish his exploit code, but it didn’t take long before more POC exploits appeared online, nonetheless. Kudelski Security researchers, having determined that “it might be possible to craft certificates using Elliptic Curve Cryptography (ECC) and explicit parameters that do not fully match a standard curve,” produced a POC exploit and a test to determine if a user is vulnerable.
Difficult for script kiddies but relatively easy for determined attackers
The good news is that Microsoft Windows Defender has been updated to detect certificates attempting to exploit certification validity, and Kudelski Security said that the curveball vulnerability is not “at risk of being exploited by script kiddies or ransomware.” However, Kudelski also warned that exploits are in the wild, and nation-state adversaries would have the capability needed to “own the network” and pull off an attack.
The MF’er attack scenario
Yes, this remains an attack scenario that requires a certain level of skill and determination. But that doesn’t mean it can be ignored. Man-in-the-middle attacks, or MF’er attack to be less gender-biased about the terminology, are challenging to carry out, but that doesn’t stop them from happening. A lot. Not that an MF’er attack would have to be in place to exploit curveball; it could be achieved by social engineering. Directing a victim to an ECC-signed root certificate site to ensure it is cached on the target system and then implementing a malicious clicking strategy could be enough.
You know what to do: update Windows 10, Windows Server 2016 and Windows Server 2019 ASAP
If three days is a long time in cybersecurity, a week or two is an absolute era as far as threat actors are concerned. It is only a matter of time, and I imagine not that much of it before I find myself reporting on a real-world curveball attack. So, please, listen to the advice and ensure that your Windows 10, Windows Server 2019 and Windows Server 2016 systems are patched with the utmost urgency.