Windows Vulnerability: Researchers Demonstrate Exploits'Proof of Concept' Code Released; Patching Urged
A day after the U.S. National Security Agency disclosed a vulnerability that could affect the cryptographic operations in some versions of Microsoft Windows, security researchers started releasing "proof of concept" code to show how attackers potentially could exploit the flaw. This highlights the urgency of patching.
The vulnerability affects versions of Windows 10 as well as Windows Server 2016 and 2019. While some proof-of-concept code has been released, it's not yet clear if attackers have actually exploited the vulnerability.
The bug, which is listed as CVE-2020-060, is a spoofing flaw that affects Windows' CryptoAPI, a component that handles cryptographic operations within the operating system. The vulnerability is considered critical enough that the U.S. Department of Homeland Security issued an alert Tuesday asking that businesses and federal agencies apply the Microsoft patch within 10 days.
If left unpatched, Microsoft and the NSA warn, the vulnerability could be used by an attacker to fake digital certificates that are used as part of encrypted communications within Windows. This means hackers could execute man-in-the-middle attacks or decrypt confidential data within applications (see: NSA Uncovers 'Severe' Microsoft Windows Vulnerability).
Attack Methods Shown
On Wednesday, security researcher Saleem Rashid posted on Twitter an explanation of how an attacker could use the Windows vulnerability to create phony Transport Layer Security, or TLS, certificates, which would then allow someone to spoof a legitimate website.
Rashid showed how he spoofed the webpages of GitHub - owned by Microsoft - and the NSA with a "rickroll," which replaces the content of the site with images of 1980s pop star Rick Astley. While Rashid didn't publish the actual proof-on-concept code, he did show it was possible to trick Google's Chrome browser into issuing the fake certificates.
Firefox is safe: NSS doesn't accept the certificate.— Saleem Rashid (@saleemrash1d) January 15, 2020
Chrome is fooled by the certificate, but it throws NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED. will need to investigate. pic.twitter.com/Cxp7ycBNB4
Rashid told Ars Technica that his proof-of-concept code only comprised about 100 lines, although he acknowledged that this type of attack in a real-world scenario would take a much greater effort. The attack Rashid demonstrated takes advantage of the part of the Windows operating system that validates elliptic curve cryptography certificates, which allows for public-key cryptography.
After Rashid's post on Twitter Wednesday, ZDNet reported that at least two other security researchers published proof-of-concept code on GitHub to demonstrate their methods of exploiting this particular vulnerability.
When Microsoft published its January 2020 Patch Tuesday update this week, it labeled this particular vulnerability as "important" because it had not been exploited in the wild prior to the disclosure. The NSA, however, deemed the flaw "severe," and several security experts seemed to agree.
Jennifer Fernick, the head of research for the NCC Group, a cybersecurity and IT consulting firm, notes that the problem with this vulnerability is that even if an organization does patch the flaw, there's still a chance that a threat actor could still conduct an attack by taking advantage of a third party that hasn't fixed the bug.
"The challenge with vulnerabilities in the Windows CryptoAPI is the ubiquity and interconnectedness - even if your own infrastructure is patched in a timely manner, your vendors', service providers' or customers’ may not be," Fernick tells Information Security Media Group. "Right now, before all impacted parties have done the necessary patching, there's an opportunity for attackers to distribute malware by spoofing the code signing on malicious executables, making them appear to be from a legitimate source."
In a blog post Tuesday, researcher Kenneth White added that this vulnerability is dangerous to security operations because it allows a hacker to fake legitimate certificates and spoof real sites or create a man-in-the-middle scenario to monitor communications and intercept data.
"With a rogue [Elliptic Curve Digital Signature Algorithm] certificate, any number of network comms are at risk. And that is a problem," White writes. "Ultimately, the bug causes an issue of confused authority stemming from superficial inspection of what is purported to be an 'official' identity record, with the guarantee of a trusted entity that someone (or something) is who they claim to be (prior to granting authorization to perform an action)."
British security researcher Kevin Beaumont noted on Twitter Thursday that some attack scenarios, such as the man-in-the-middle hack, are difficult to pull off due to the limited number of systems that the flaw affects. Nevertheless, he said that security professionals should still take notice.
There's a website for testing the NSA crypto thing, if you can open it without certificate warnings you may want to apply January 2020's Windows patches. Note this is difficult to scale for MITM interception due to number of systems it doesn't work on. https://t.co/ZDz8vdm5ed https://t.co/UAAWWT5KWf— Kevin Beaumont (@GossiTheDog) January 16, 2020
In its advisory Tuesday, the NSA notes the severity of the vulnerability is one reason why it decided to disclose it to Microsoft and then eventually to the public.
"NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render ... platforms as fundamentally vulnerable," the agency says.
Brian Honan, the president of Dublin-based cybersecurity consultancy BH Consulting, believes that the NSA is likely to have known about this vulnerability for some time and recently discovered that attackers were devising ways to exploit it. This is likely the reason this information came to light now.
"Given that the NSA are the ones that brought this to the attention of the public it would indicate, in my opinion, they have been aware of this vulnerability for a while and may have information that it is already being used by adversaries to target US interests and have therefore taken the unusual step of going public," Honan told ISMG.