This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
CryptoAPI
CryptoAPI

Version management

Difference between version and

At line 1 added 55 lines
!!! Overview
[{$pagename}] (also known variously as [Crypt32.dll], Microsoft Cryptography API, MS-CAPI or simply CAPI) is a [Microsoft Windows] [API] provides [Cryptosystem] services that enable developers to secure Windows-based [applications] using [cryptography], and includes functionality for [Encryption] and [Decryption] [data] using digital [certificates].
[{$pagename}] uses the [crypt32.dll] which is a [Microsoft Windows] [Software library] that "[certificate] and [cryptographic] [Message] [functions].
[{$pagename}] was first introduced in [Windows NT] 4.0
!! [CVE-2020-0601|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601|target='_blank'] (aka CurveBall)
At a high level, this [vulnerability] takes advantage of the fact that Crypt32.dll fails to properly check that the
[Elliptic Curve] parameters specified in a provided [Root Certificate] match those known to [Microsoft].
This is considered a [spoofing] [vulnerability] that exists in the way [Microsoft Windows] [{$pagename}] ([Crypt32.dll]) validates [Digitally Signed] [messages] on [Elliptic Curve] [Cryptography] (ECC). There are at least two instances demonstrated where an [attacker] could exploit the [vulnerability]:
* by using a spoofed [code]-signing [certificate] to sign a [malicious] executable
* the [attacker] to conduct [Man-In-The-Middle] [attacks] and decrypt [confidential] information on user connections to the affected software.
In both of these it appears the [Digitally Signed] file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
You should also examine their [Windows Event Log] for instances of the new CveEventWrite event, which indicates active exploitation of the [vulnerability] in an environment
The [vulnerability] exists in these products:
* [Windows 10] (all build numbers)
* [Windows Server 2016]
* [Windows Server 2019]
Older versions of Windows are __not affected__.
As of Jan. 15, [2020|Year 2020], this [vulnerability] is known to be exploited in the wild and the [Attack Effort] is considered low. The first proof-of-concept "fake ID generators" are out – a Python program of 53 lines, and a Ruby script of just 21 and they really are sitting there for anyone to use for free.
Visit [https://curveballtest.com|https://curveballtest.com|target='_blank'] to test if your browser is vulnerable
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Microsoft_CryptoAPI|Wikipedia:Microsoft_CryptoAPI|target='_blank'] - based on information obtained 2020-01-23
* [#2] - [Cryptic Rumblings Ahead of First 2020 Patch Tuesday|https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/#more-50171|target='_blank'] - based on information obtained 2020-01-17
* [#3] - [Patch Critical Cryptographic Vulnerability in Microsoft Windows
Clients and Servers|https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF|target='_blank'] - based on information obtained 2020-01-17
* [#4] - [CVE-2020-0601 - Windows CryptoAPI Spoofing Vulnerability|https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601|target='_blank'] - based on information obtained 2020-01-17
* [#5] - [CVE-2020-0601 Detail|https://nvd.nist.gov/vuln/detail/CVE-2020-0601#vulnCurrentDescriptionTitle|target='_blank'] - based on information obtained 2020-01-23
* [#6] - [Win10 Crypto Vulnerability: Cheating in Elliptic Curve Billiards 2|https://medium.com/zengo/win10-crypto-vulnerability-cheating-in-elliptic-curve-billiards-2-69b45f2dcab6|target='_blank'] - based on information obtained 2020-01-23
* [#7] - [CurveBall’s Additional Twist: The Certificate Comparison Bug|https://medium.com/zengo/curveballs-additional-twist-the-certificate-comparison-bug-2698aea445b5|target='_blank'] - based on information obtained 2020-01-23
* [#8] - [NSA and Github ‘rickrolled’ using Windows CryptoAPI bug|https://nakedsecurity.sophos.com/2020/01/16/nsa-and-github-rickrolled-using-windows-cryptoapi-bug/|target='_blank'] - based on information obtained 2020-01-23
* [#2] - [CVE-2020-0601 Followup|https://isc.sans.edu/forums/diary/CVE20200601+Followup/25714/|target='_blank'] - based on information obtained 2020-01-23
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop