Enlarge / Chrome on Windows 10 as the NSA’s Rickrolls.

Less than a day after Microsoft discovered one of the most critical Windows security vulnerabilities, a security researcher has shown how attackers can use them to cryptographically render a website or server on the Internet.

Researcher Saleem Rashid tweeted pictures of Rick Astley’s “Never Gonna Give You Up” video from the 1980s on Github.com and NSA.gov on Wednesday. The digital finger game is known as rickrolling and is often used as a humorous and harmless method to demonstrate serious security deficiencies. In this case, the Rashid exploit causes both the Edge and Chrome browsers to fake Github and the National Security Agency’s HTTPS verified websites. Brave and other Chrome derivatives as well as Internet Explorer should also come up with the same trick. (There is no evidence that Firefox is affected.)

Enlarge / The same exploit as for Rickroll Github on Edge.

Rashid’s simulated attack exploits CVE-2020-0601, the critical vulnerability that Microsoft addressed Tuesday following a private announcement from the NSA. As reported by Ars, the error can completely affect certificate validation for websites, software updates, VPNs and other security-critical computer applications. This affects Windows 10 systems, including the server versions Windows Server 2016 and Windows Server 2019. Other versions of Windows are not affected.

Rashid told me that his exploit uses about 100 lines of code, but he could compress it to 10 lines if he wanted to remove some “useful tricks” that his attack had. While there are limitations and some potentially difficult prerequisites to getting the exploit to work in real, adverse conditions (more on that later), Wednesday’s proof-of-concept attack shows why the NSA considered the vulnerability “serious” and advanced rating hackers might understand how to “take advantage of it” quickly.

“Quite frightening”

Other researchers shared the feeling of urgency of the NSA.

“What Saleem just demonstrated is that with a (short) script, you can generate a certificate for any website, and it’s fully trustworthy on IE and Edge with just the default settings for Windows,” said Kenn White, a researcher and security principal at MongoDB. said. It’s pretty awful. It affects VPN gateways, VoIP, basically everything that uses network communication. “(I spoke to White before Rashid demonstrated the attack against Chrome.)

The flaw lies in the way the new versions of Windows check the validity of certificates that use cryptography with elliptic curves. While the vulnerable versions of Windows check three ECC parameters, they cannot check a fourth, crucial one, called the base point generator, which is often represented in algorithms as G ‘. This error is due to Microsoft’s implementation of ECC rather than an error or weakness in the ECC algorithms themselves.

Attackers can exploit the bug by extracting the public key of a root certificate that is included in Windows by default. These certificates are referred to as the root CA because they are part of large CAs that either issue their own TLS certificates or validate intermediate CAs that sell certificates on behalf of the Root CA. Every root certificate works if it is signed with an ECC algorithm. Rashid’s attack started with a root certificate from Sectigo, the largest certification authority on the Internet, previously known as Comodo. The researcher later changed his attack to use a GlobalSign root certificate. His code made the switch automatically.

The attacker examines the specific ECC algorithm used to generate the root certificate’s public key and creates a private key that copies all of the certificate parameters for that algorithm except for the point generator. Since vulnerable versions of Windows cannot check this parameter, they accept the private key as valid. The attacker has forged a Windows-trusted root certificate that can be used to create every single certificate that is used to authenticate websites, software, and other confidential properties.

The behavior is equivalent to a law enforcement officer who checks a person’s identity card to ensure that it correctly describes the person’s size, address, birthday, and face. However, he does not notice that the weight is stated as 250 pounds if the person weighs significantly less than half the weight.

“It is such a strange mistake because it is like halfway checking something that is at the root of the entire trust system,” White said. “It is a central part of the entire chain of trust.”

Further technical explanations of the error can be found here and here and in the Twitter thread here.

The reservations

As previously mentioned, there are several requirements and constraints that significantly raise the bar for Rashid’s attack so that it can be used by an opponent in real conditions. The first is that it will most likely require an active man-in-the-middle attack. While these are relatively easy to run over Wi-Fi and other unsecured networks, they are generally much more difficult on the Internet. An alternative to an active MitM is to convince a target to click on a fake URL. This method is much easier, but it also requires some targeting. (This does not apply to attacks on websites or other servers that require a certificate from the connecting client.)

The exploit also implies that the target recently visited a site that has a transport-layer security certificate that is chained to an ECC-signed root certificate. This is because the root certificate must already be cached by the target system. In the event that the root certificate is not cached on a target system, an attacker could still exploit it by adding JavaScript that accesses a site linked to the root certificate.

Another limitation: Chrome uses a mechanism known as “certificate pinning” for google.com and a number of other sensitive websites. To fix it, the certificate that authenticates a website must contain a certain cryptographic hash, even if the certificate offered is otherwise valid. This would prevent exploits from working if they fake protected websites.

While installing the Tuesday patch from Microsoft is by far the only sensible way to prevent attacks, a Google representative said that Chrome developers have already distributed an update in a beta version and will soon convert the update to stable versions , A word of caution: This fix also exposes users of vulnerable versions of Windows to significant risks from other attack scenarios.

A question of time

Despite the requirements and limitations, the vulnerability is serious. As NSA officials put it in the advisory linked above:

The vulnerability compromises Windows endpoints for a variety of exploitation vectors. The NSA considers the vulnerability to be serious and that experienced cyber actors will understand the underlying error very quickly and, if exploited, would rate the aforementioned platforms as fundamentally vulnerable. The consequences of missing the patch for the vulnerability are serious and widespread. Remote evaluation tools will likely be available quickly and extensively. Rapid patch deployment is currently the only known solution and should be the primary focus of all network owners.

The vulnerability may not be as dangerous as the vulnerability caused by the Heartbleed bug in 2014, which allowed attackers to steal private keys, passwords, and other highly sensitive data from hundreds of thousands of vulnerable websites. Because of the variety of security measures thwarted by the Microsoft vulnerability, it’s even worse than Apple’s critical go-fail failure that prevented iOS and MacOS systems from detecting invalid TLS certificates provided by websites become. This makes CVE-2020-0601 one of the most serious security vulnerabilities in the recent past.

Windows’ automatic update mechanism has probably already patched vulnerable systems. For everyone else, corrections for various vulnerable versions are available. Readers who have not yet patched should do so immediately.

The post has been updated to correct the certificate attaching statement.