X.509 extensions can be used for covert channel data transfer and C2

Hi Everyone,
Has anyone looked at this research https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities with a view to creating a Bro detection?

Looks as simple as checking a value in the TLS extension to see if it falls on an expected length to be a hash value.

Kind regards,
Andy
Andrew.Ratcliffe@NSWCSystems.co.uk
CISSP, CSTA, CSTP, CWSA
GIAC: GCIA, GCIH, GPEN, GWAPT, GCFE, GREM, GPYC, GNFA
Computer Forensic & Security Specialist
Blog.InfoSecMatters.net

Hi Andy,

Has anyone looked at this research
https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities
with a view to creating a Bro detection?

Doing what they recommend in Bro is not a problem at all; Bro raises an
event for all X.509 extensions
(https://www.bro.org/sphinx/scripts/base/bif/plugins/Bro_X509.events.bif.bro.html#id-x509_extension)
and you can just check the length there.

Bro also can perform validation of all certificates, which is the second
remedy that they proposed.

However, please note that just thinking about this for 30 seconds, I can
think of at least 3 other ways to hide data in TLS handshakes that this
would not catch (and that they did not talk about), some of them easier to
implement for an attacker than this.

Plus - if you can establish a TLS connection without there being a DLP
device in the middle you could always just send the data after encryption
kicks in.

Johanna