I assume most of you heard of CVE-2020-0601. If not - see the advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 and the descriptio nat https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF.
I have a small work-in-progress Zeek package that should be able to detect if someone is trying to exploit this in TLS communication, e.g. when impersonating a server.
The package is available at https://github.com/0xxon/cve-2020-0601; the script itself is very short and available at https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-0601.bro.
How does it work
Thanks Johanna - I must say quite timely package.
Thanks a lot!
Can we have that tweeted from the Zeek account?
I just wanted to announce that there now is an updated package to detect CVE-2020-0601.
The package is available at https://github.com/0xxon/cve-2020-0601-plugin
But - before you run and install it - please read this email for more details on the package and the advantages/disadvantages over the old one.
Due to the fact that not everyone will be able to use the new package, the old package will also stays available at https://github.com/0xxon/cve-2020-0601
Description of new package
in more news on this, I was just pointed to a POC for this - which is available at https://github.com/ollypwn/cve-2020-0601.
Using this, I verified that both versions of the package successfully detect the exploit; I also added a test-case with a real exploit certificate to both packages (no other changes).
As previously mentioned - if you run this and see any exploit activity, I would be really interested in hearing about it.
You could also point a browser in your environment at hxxps://cve20200601.dshield.org - they setup that site to test for vulnerable browser, but I found in testing that it also triggered my NSM.
Excellent work on this plugin / script - very handy!
in even more news - after a suggestion of Justin, I updated the script in a way that lets you log suspicious certificates - in case you will want to dig into exploit attempts afterwards.
Both versions of the plugin now have a setting (disabled by default) that will log all suspicious certificates encoded as base64.
To enable this, update your package and redef CVE_2020_0601::log_certs to true.