Overview#CryptoAPI (also known variously as Crypt32.dll, Microsoft Cryptography API, MS-CAPI or simply CAPI) is a Microsoft Windows API provides Cryptosystem services that enable developers to secure Windows-based applications using cryptography, and includes functionality for Encryption and Decryption data using digital certificates.
CryptoAPI was first introduced in Windows NT 4.0
CVE-2020-0601 (aka CurveBall)#At a high level, this vulnerability takes advantage of the fact that Crypt32.dll fails to properly check that the Elliptic Curve parameters specified in a provided Root Certificate match those known to Microsoft.
This is considered a spoofing vulnerability that exists in the way Microsoft Windows CryptoAPI (Crypt32.dll) validates Digitally Signed messages on Elliptic Curve Cryptography (ECC). There are at least two instances demonstrated where an attacker could exploit the vulnerability:
- by using a spoofed code-signing certificate to sign a malicious executable
- the attacker to conduct Man-In-The-Middle attacks and decrypt confidential information on user connections to the affected software.
The vulnerability exists in these products:
As of Jan. 15, 2020, this vulnerability is known to be exploited in the wild and the Attack Effort is considered low. The first proof-of-concept "fake ID generators" are out – a Python program of 53 lines, and a Ruby script of just 21 and they really are sitting there for anyone to use for free.
Visit https://curveballtest.com to test if your browser is vulnerable
More Information#There might be more information for this subject on one of the following:
- [#1] - Microsoft_CryptoAPI - based on information obtained 2020-01-23
- [#2] - Cryptic Rumblings Ahead of First 2020 Patch Tuesday - based on information obtained 2020-01-17
- [#3] - Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers - based on information obtained 2020-01-17
- [#4] - CVE-2020-0601 - Windows CryptoAPI Spoofing Vulnerability - based on information obtained 2020-01-17
- [#5] - CVE-2020-0601 Detail - based on information obtained 2020-01-23
- [#6] - Win10 Crypto Vulnerability: Cheating in Elliptic Curve Billiards 2 - based on information obtained 2020-01-23
- [#7] - CurveBall’s Additional Twist: The Certificate Comparison Bug - based on information obtained 2020-01-23
- [#8] - NSA and Github ‘rickrolled’ using Windows CryptoAPI bug - based on information obtained 2020-01-23
- [#2] - CVE-2020-0601 Followup - based on information obtained 2020-01-23