• There’s a working Proof of Concept for the “ChainOfFools” CVE-2020-0601 Crypto API bug — but it isn’t as bad as you think

    Posted on January 16, 2020 at 04:32 CST by Comment in the Forums

    Long story short, Yolan Ronmailler has posted a working Proof of Concept for NSA’s CVE-2020-0601 Crypt32 bug. The code is available on Github.

    There’s no question the code works — but it has a prerequisite. In order to get bitten by the security hole, you have to first visit a specific site. That site will load a security certificate that’s instrumental in making the PoC code work.

    That severely limits the threat, eh?

    Here’s how Ronmailler puts it:

    In the end, please keep in mind that such a vulnerability is not at risk of being exploited by script kiddies or ransomware. While it is still a big problem because it could have allowed a Man-in-the-Middle attack against any website, you would need to face an adversary that owns the network on which you operate, which is possible for nation-state adversaries, but less so for a script kiddie. This is why we are releasing this PoC, the exploitability of this vulnerability is not good enough to lead to a sudden ransomware threat (unlike the one we had with Wannacry). This is also probably why the NSA decided not to weaponize their finding, but to rather disclose it: for them it is best to have the USA patched rather than to keep it and take the risk of it being used against the USA, as the attack surface is so vast.

    Which ties up many loose ends.

    Looks like Kevin Beaumont is right: There’s certainly a security hole here, but it would be very difficult to turn it into a widespread attack. In order for it to work, the victim first has to visit a site that has a clean copy of the certificate that the attacker has subverted, and then visit the site with the subverted certificate. Unless the attacker has full control over your network, the chances of that happening are slim indeed.

    (Saleem Rashid showed yesterday that the clean-before-dirty approach is a requirement for the Chrome browser, but Chrome throws a NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED. Firefox isn’t vulnerable.)

    As I said in the Computerworld article, it’s a long way from a third-degree polynomial to working ransomware.

    We’re still at MS-DEFCON 2.

    UPDATE: Kevin Beaumont has a revised recommendation:

    Windows Patches/Security , ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    March 2025
    S M T W T F S
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.