DNSS Inc – IT consulting and IT security services for small to mid-size businesses

Managed IT Services, IT Security Services, Vulnerability Management and Remediation, Help Desk Support, IT Maintenance Services, Network Administration, Business Continuity Planning, Disaster Recovery Planning, Onsite and Offsite Data Backup, and Information Security Assessment

Researchers Detail PoC Code for New Windows Vulnerability

A day after the U.S. National Security Agency disclosed a vulnerability that could affect the cryptographic operations in some versions of Microsoft Windows, security researchers started releasing “proof of concept” code to show how attackers potentially could exploit the flaw. This highlights the urgency of patching.

The vulnerability affects versions of Windows 10 as well as Windows Server 2016 and 2019. While some proof-of-concept code has been released, it’s not yet clear if attackers have actually exploited the vulnerability.

The bug, which is listed as CVE-2020-060, is a spoofing flaw that affects Windows’ CryptoAPI, a component that handles cryptographic operations within the operating system. The vulnerability is considered critical enough that the U.S. Department of Homeland Security issued an alert Tuesday asking that businesses and federal agencies apply the Microsoft patch within 10 days.

If left unpatched, Microsoft and the NSA warn, the vulnerability could be used by an attacker to fake digital certificates that are used as part of encrypted communications within Windows. This means hackers could execute man-in-the-middle attacks or decrypt confidential data within applications (see: NSA Uncovers ‘Severe’ Microsoft Windows Vulnerability).

Attack Methods Shown

On Wednesday, security researcher Saleem Rashid posted on Twitter an explanation of how an attacker could use the Windows vulnerability to create phony Transport Layer Security, or TLS, certificates, which would then allow someone to spoof a legitimate website.

Rashid showed how he spoofed the webpages of GitHub – owned by Microsoft – and the NSA with a “rickroll,” which replaces the content of the site with images of 1980s pop star Rick Astley. While Rashid didn’t publish the actual proof-on-concept code, he did show it was possible to trick Google’s Chrome browser into issuing the fake certificates.

Saleem Rashid@saleemrash1d


View image on TwitterView image on Twitter

Saleem Rashid@saleemrash1d

Firefox is safe: NSS doesn’t accept the certificate.

Chrome is fooled by the certificate, but it throws NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED. will need to investigate.

View image on Twitter
68 people are talking about this

Rashid told Ars Technica that his proof-of-concept code only comprised about 100 lines, although he acknowledged that this type of attack in a real-world scenario would take a much greater effort. The attack Rashid demonstrated takes advantage of the part of the Windows operating system that validates elliptic curve cryptography certificates, which allows for public-key cryptography.

After Rashid’s post on Twitter Wednesday, ZDNet reported that at least two other security researchers published proof-of-concept code on GitHub to demonstrate their methods of exploiting this particular vulnerability.

When Microsoft published its January 2020 Patch Tuesday update this week, it labeled this particular vulnerability as “important” because it had not been exploited in the wild prior to the disclosure. The NSA, however, deemed the flaw “severe,” and several security experts seemed to agree.

Jennifer Fernick, the head of research for the NCC Group, a cybersecurity and IT consulting firm, notes that the problem with this vulnerability is that even if an organization does patch the flaw, there’s still a chance that a threat actor could still conduct an attack by taking advantage of a third party that hasn’t fixed the bug.

“The challenge with vulnerabilities in the Windows CryptoAPI is the ubiquity and interconnectedness – even if your own infrastructure is patched in a timely manner, your vendors’, service providers’ or customers’ may not be,” Fernick tells Information Security Media Group. “Right now, before all impacted parties have done the necessary patching, there’s an opportunity for attackers to distribute malware by spoofing the code signing on malicious executables, making them appear to be from a legitimate source.”

In a blog post Tuesday, researcher Kenneth White added that this vulnerability is dangerous to security operations because it allows a hacker to fake legitimate certificates and spoof real sites or create a man-in-the-middle scenario to monitor communications and intercept data.

“With a rogue [Elliptic Curve Digital Signature Algorithm] certificate, any number of network comms are at risk. And that is a problem,” White writes. “Ultimately, the bug causes an issue of confused authority stemming from superficial inspection of what is purported to be an ‘official’ identity record, with the guarantee of a trusted entity that someone (or something) is who they claim to be (prior to granting authorization to perform an action).”

British security researcher Kevin Beaumont noted on Twitter Thursday that some attack scenarios, such as the man-in-the-middle hack, are difficult to pull off due to the limited number of systems that the flaw affects. Nevertheless, he said that security professionals should still take notice.

Kevin Beaumont


There’s a website for testing the NSA crypto thing, if you can open it without certificate warnings you may want to apply January 2020’s Windows patches. Note this is difficult to scale for MITM interception due to number of systems it doesn’t work on. https://chainoffools.wouaib.ch https://twitter.com/GossiTheDog/status/1217789386793857025 

Kevin Beaumont


Replying to @TalBeerySec @KudelskiSec

fyi, here’s what it looks like on win7 chrome.

View image on Twitter
119 people are talking about this

NSA Disclosure

In its advisory Tuesday, the NSA notes the severity of the vulnerability is one reason why it decided to disclose it to Microsoft and then eventually to the public.

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render … platforms as fundamentally vulnerable,” the agency says.

Source: Researchers Detail PoC Code for New Windows Vulnerability

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


This entry was posted on January 16, 2020 by in Blog and tagged , , , , .
%d bloggers like this: