Work-in-progress package to detect CVE-2020-0601


I assume most of you heard of CVE-2020-0601. If not - see the advisory at and the descriptio nat

I have a small work-in-progress Zeek package that should be able to detect if someone is trying to exploit this in TLS communication, e.g. when impersonating a server.

The package is available at; the script itself is very short and available at

How does it work

Thanks Johanna - I must say quite timely package.

Thanks a lot!

Can we have that tweeted from the Zeek account?

Hello everyone,

I just wanted to announce that there now is an updated package to detect CVE-2020-0601.

The package is available at

But - before you run and install it - please read this email for more details on the package and the advantages/disadvantages over the old one.

Due to the fact that not everyone will be able to use the new package, the old package will also stays available at

Description of new package

Hello everyone,

in more news on this, I was just pointed to a POC for this - which is available at

Using this, I verified that both versions of the package successfully detect the exploit; I also added a test-case with a real exploit certificate to both packages (no other changes).

As previously mentioned - if you run this and see any exploit activity, I would be really interested in hearing about it.


You could also point a browser in your environment at hxxps:// - they setup that site to test for vulnerable browser, but I found in testing that it also triggered my NSM.

Excellent work on this plugin / script - very handy!


in even more news - after a suggestion of Justin, I updated the script in a way that lets you log suspicious certificates - in case you will want to dig into exploit attempts afterwards.

Both versions of the plugin now have a setting (disabled by default) that will log all suspicious certificates encoded as base64.

To enable this, update your package and redef CVE_2020_0601::log_certs to true.