This post is also available in: 日本語 (Japanese)
In January 2020, during the first Patch Tuesday of the new year, Microsoft released patches for 17 new vulnerabilities including one for CVE-2020-0601 known as Curveball. The vulnerability exists in the Windows CryptoAPI (Crypt32.dll) and specifically relates to the method used for Elliptic Curve Cryptography (ECC) certificate validation. At the time of release, Microsoft affirmed that they had not yet seen the vulnerability exploited in the wild (ITW). Researcher Tal Be’ery released a blog titled “Win 10 Crypto Vulnerability: Cheating in Elliptic Curve Billiard 2” that does a fantastic job at explaining this bug.
The patch provided by Microsoft included the typical release of operating system patches, but this time a new Application Programming Interface (API) function was added. The new CveEventWrite function can be used to publish events when an attempt to exploit security vulnerabilities in user-mode applications occurs. Analysts can collect alerts on the Application Message “CVE-2020-0601” as a means to hunt for attempted exploitation of this vulnerability on patched systems.
We also recommend users of the Chrome browser to update to version 79.0.3945.130 as they recently released an update to fix the TLS issue.
Palo Alto Networks customers running Traps are now safeguarded from the Windows CryptoAPI Spoofing vulnerability, regardless of whether they are running an unpatched Microsoft Windows 10 system. Additionally, Palo Alto Networks offers multiple, additional complementary protections:
- Cortex XDR and Traps can:
- Stop the vulnerability exploit on patched and unpatched Windows 10 systems.
- Block spoofed executables from running by detecting any attempt to exploit this vulnerability and terminating the process using Behavioral Threat Protection.
- Alert on attempted exploitation against patched systems based on the usage of the CveEventWrite Event Application Message. The alert includes the file path of the malicious sample.
- To gain protection, customers should ensure they are running the latest agent version.
- WildFire can stop the exploit with static signature detections.
- Next-Generation Firewalls can automatically stop sessions with certificates signed by an untrusted issuer, as were used in this threat, when applying the recommended configuration from our SSL decryption best practices.
As a member of the Microsoft Active Protections Program (MAPP) program, Palo Alto Networks received early details of the vulnerability, providing greater understanding of the threat, which helps us implement strong product coverage. As always, we recommend keeping your Microsoft products up to date with the latest patches to mitigate this vulnerability.
Palo Alto Networks will update this Threat Brief with new information and recommendations as they become available.