Less than a day after Microsoft has revealed one of the most critical Windows vulnerabilities ever, a security researcher has demonstrated how attackers can exploit them to cryptographically imitate any website or server on the Internet.
This story originally appeared on Ars Technica, a trusted source for technology news, technology policy analysis, assessments and more. Ars is owned by WIRED’s parent company, Condé Nast.
Researcher Saleem Rashid tweeted footage of the 1980s video “Never Gonna Give You Up” from Rick Astley, played on Github.com and NSA.gov. The digital dexterity is known as Rickrolling and is often used as a humorous and benign way to prove serious security errors. In this case, the exploitation of Rashid ensures that both the Edge and Chrome browser falsify the HTTPS-verified websites of Github and the National Security Agency. Brave and other Chrome derivatives, as well as Internet Explorer, probably also fall under the same trick. (There is no indication that Firefox was affected.)
Rashid’s simulated attack uses CVE-2020-0601, the critical vulnerability that Microsoft patched Tuesday after receiving a private tip from the NSA. As Ars reported, the error can completely disrupt the validation of certificates for websites, software updates, VPNs, and other security-critical computing. It affects Windows 10 systems, including server versions Windows Server 2016 and Windows Server 2019. Other versions of Windows are not affected.
Rashid told me that his exploit uses around 100 lines of code, but that he could compress it to 10 lines if he wanted to remove some “handy tricks” from his attack. Although there are limitations and various potentially difficult requirements for the exploit to work in real, unfavorable circumstances (more on that later), Wednesday’s proof-of-concept attack shows why the NSA considers the vulnerability to be “serious” and said that sophisticated hackers could understand how to operate it ‘quickly’.
Other researchers shared the sense of urgency of the NSA.
“What Saleem has just demonstrated is: with (a short) script you can generate a cert for every website, and it is fully trusted in IE and Edge with only the default settings for Windows,” Kenn White, a researcher and security principle at MongoDB said. “That’s quite horrible. It affects VPN gateways, VoIP, basically everything that uses network communication.” (I spoke with White before Rashid demonstrated the attack on Chrome.)
The problem is related to the way the new versions of Windows check the validity of certificates that use cryptography with elliptic curves. Although the vulnerable Windows versions check three ECC parameters, they fail to verify a fourth, crucial, known as a base point generator and often displayed in algorithms such as G. This error is a result of Microsoft’s implementation of ECC instead of any error or weakness in the ECC algorithms themselves.
Attackers can exploit the error by extracting the public key from a root certificate that is provided by default in Windows. These certificates are described as root because they belong to large certificate authorities that either issue their own TLS certificates or validate intermediate certificate authorities that sell certificates on behalf of the root CA certificates. Each root certificate works as long as it is signed with an ECC algorithm. The Rashid attack began with a root certificate from Sectigo, the largest CA on the internet, which previously used the Comodo name. The investigator later modified his attack to use a GlobalSign root certificate. His code made the switch automatically.
The attacker examines the specific ECC algorithm that is used to generate the public key of the root certificate and continues to create a private key that copies all certificate parameters for that algorithm except the point generator. Because vulnerable Windows versions cannot check that parameter, they accept the private key as valid. Thus, the attacker has forged a Windows root certificate that can be used to use any individual certificate that is used to authenticate websites, software, and other sensitive features.
The behavior comes down to a law enforcement officer who checks someone’s identity to ensure that it correctly describes the person’s height, address, birthday and face, but does not notice that the weight is stated as 250 pounds when the person is clearly less than weighs half.