CryptoAPI (also known variously as Crypt32.dll, Microsoft Cryptography API, MS-CAPI or simply CAPI) is a Microsoft Windows API provides Cryptosystem services that enable developers to secure Windows-based applications using cryptography, and includes functionality for Encryption and Decryption data using digital certificates.

CryptoAPI uses the crypt32.dll which is a Microsoft Windows Software library that "certificate and cryptographic Message functions.

CryptoAPI was first introduced in Windows NT 4.0

CVE-2020-0601 (aka CurveBall)#

At a high level, this vulnerability takes advantage of the fact that Crypt32.dll fails to properly check that the Elliptic Curve parameters specified in a provided Root Certificate match those known to Microsoft.

This is considered a spoofing vulnerability that exists in the way Microsoft Windows CryptoAPI (Crypt32.dll) validates Digitally Signed messages on Elliptic Curve Cryptography (ECC). There are at least two instances demonstrated where an attacker could exploit the vulnerability:

In both of these it appears the Digitally Signed file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.

You should also examine their Windows Event Log for instances of the new CveEventWrite event, which indicates active exploitation of the vulnerability in an environment

The vulnerability exists in these products:

Older versions of Windows are not affected.

As of Jan. 15, 2020, this vulnerability is known to be exploited in the wild and the Attack Effort is considered low. The first proof-of-concept "fake ID generators" are out – a Python program of 53 lines, and a Ruby script of just 21 and they really are sitting there for anyone to use for free.

Visit https://curveballtest.com to test if your browser is vulnerable

More Information#

There might be more information for this subject on one of the following: