Jump to content

CVE-2020-0601 AKA ChainOfFools OR CurveBall

Recommended Posts


  • Microsoft disclosed a vulnerability in their monthly Patch Tuesday referenced under CVE-2020-0601.
  • The vulnerability was discovered by the U.S. National Security Agency, anounced today (2020-01-14) in their press conference, followed by a blog post and an official security advisory.
  • The flaw is located in the "CRYPT32.DLL" file under the C:\Windows\System32\ directory.

Vulnerability explanation

  • NSA description:

  • NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality.

  • The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.

  • The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.

  • Examples where validation of trust may be impacted include:

    • HTTPS connections
    • Signed files and emails
    • Signed executable code launched as user-mode processes
  • The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors.

  • NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.

  • The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.

  • Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.

  • If you really want to deep dive in the cryptographic part and understand better the root cause of this vulnerability, Tal Be'ery published today a very didactic explanation:


  • Publicly available: YES

    • PoC published the 2020-01-16 1208 AM GMT+1 (PoC1)

    • PoC published the 2020-01-16 1214 AM GMT+1 [PoC2]

      • Interesting nuggets: default serial number = 0x5c8b99c55a94c5d27156decd8980cc26, use NIST P-384 (secp384r1) curve, 500 days default expire date, configured to abuse USERTrust ECC Certification Authority, some others hardcoded information but could be changed easily, C = CH, ST = Vaud, L = Lausanne, O = Kudelski Security, CN =
  • Privately available: YES (Around 10 private PoC)

  • In The Wild Exploitation: YES




Source https://gist.github.com/SwitHak/62fa7f8df378cae3a459670e3a18742d



  • Upvote 1

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...