0x00 漏洞背景
2020年01月15日,360CERT监测到微软发布了2020年1月份的安全更新,其中包含Windows CryptoAPI的验证绕过漏洞(CVE-2020-0601)。该漏洞由NSA报告给微软。
该漏洞存在于Windows CryptoAPI(Crypt32.dll)验证椭圆曲线加密算法证书的方式,影响Windows 10和Windows Server 2016/2019以及依赖于Windows CryptoAPI的应用程序。攻击场景包括:
1.使用伪造的证书对恶意的可执行文件进行签名,使文件看起来来自可信的来源。
2.进行中间人攻击并解密用户连接到受影响软件的机密信息。
目前POC已经公开,360CERT提醒广大用户做好防范。
0x01 影响范围
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1803 (Server Core Installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
虽然该漏洞不影响windows 7/Server 2008系统,但是由于微软已经停止对windows 7/Server 2008系统的支持,360CERT仍然强烈建议windows 7/Server 2008用户升级到windows 10/Server 2016(或更高的版本)并安装补丁。
0x02 修复建议
用户可以通过下面的方式安装补丁:
1.通过安装360安全卫士(http://weishi.360.cn)进行一键更新
2.开启windows10的自动更新
3.手动访问官方补丁下载链接下载安装更新包,链接如下
操作系统版本
补丁下载链接
Windows 10 for 32-bit Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534306
Windows 10 for x64-based Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534306
Windows 10 Version 1607 for 32-bit Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534271
Windows 10 Version 1607 for x64-based Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534271
Windows 10 Version 1709 for 32-bit Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534276
Windows 10 Version 1709 for ARM64-based Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534276
Windows 10 Version 1709 for x64-based Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534276
Windows 10 Version 1803 for 32-bit Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534293
Windows 10 Version 1803 for ARM64-based Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534293
Windows 10 Version 1803 for x64-based Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534293
Windows 10 Version 1809 for 32-bit Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534273
Windows 10 Version 1809 for ARM64-based Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534273
Windows 10 Version 1809 for x64-based Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534273
Windows 10 Version 1903 for 32-bit Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4528760
Windows 10 Version 1903 for ARM64-based Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4528760
Windows 10 Version 1903 for x64-based Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4528760
Windows 10 Version 1909 for 32-bit Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4528760
Windows 10 Version 1909 for ARM64-based Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4528760
Windows 10 Version 1909 for x64-based Systems
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4528760
Windows Server 2016
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534271
Windows Server 2016 (Server Core installation)
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534271
Windows Server 2019
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534273
Windows Server 2019 (Server Core installation)
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534273
Windows Server, version 1803 (Server Core Installation)
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4534293
Windows Server, version 1903 (Server Core installation)
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4528760
Windows Server, version 1909 (Server Core installation)
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4528760
如果短时间难以实现对所有机器安装补丁,建议优先考虑修补关键服务。比如:
基于Windows的各类关键web应用、web服务器,或执行TLS验证的代理。
托管关键基础架构的服务器(例如域控制器、DNS服务器、更新服务器、VPN)。
还应优先考虑修补具有较高被攻击风险的终端。比如:
直接暴露到外网的终端。
特权用户经常使用的终端。
0x03 检测措施
一些企业通过现有的执行TLS检查的代理设备来路由流量,此类设备并不依赖Windows进行证书验证。这些设备可以帮助在漏洞修复过程中隔离代理之后的所有受影响终端。经过正确配置和管理的TLS检查代理可以独立地从外部实体验证TLS证书,并将拒绝无效或不受信任的证书,从而保护终端免受试图利用此漏洞的证书的攻击。请确保为TLS代理启用了证书验证功能,以缩小受此漏洞影响的服务、系统的暴露面,并通过相关日志查看是否有漏洞利用的迹象。
数据包捕获分析工具(例如Wireshark)可用于从网络协议数据中解析和提取证书来进行其他分析。诸如OpenSSL和Windows certutil之类的程序可用于进一步分析证书以检查其恶意属性。
通过运行以下命令,可使用Certutil来检查X509证书:
certutil –asn <证书文件名>
通过运行以下命令,可使用OpenSSL来检查X509证书:
openssl asn1parse –inform DER –in <证书文件名> –i –dump
或
openssl x509 –inform DER –in <证书文件名> –text
这些命令解析并展示指定DER编码的证书文件中的ASN.1对象。查看带有可疑属性的椭圆曲线对象的结果。带有命名椭圆曲线的证书具有显式的曲线OID值,可以被判定为良性证书。比如,标准曲线nistP384的曲线OID值为1.3.132.0.34。具有明确定义的、自身参数完全匹配标准曲线参数(如素数,a,b,基数,顺序和余因子)的证书可以被近似判定为良性。
通过运行以下命令,可以使用Certutil列出已注册的椭圆曲线并查看其参数:
certutil –displayEccCurve
certutil –displayEccCurve <曲线名称>
通过运行以下命令,可以使用OpenSSL查看已启用/已编译到OpenSSL中的标准曲线:
openssl ecparam –list_curves
openssl ecparam –name <曲线名称> –param_enc explicit –text
如果一个证书包含显式定义的椭圆曲线参数,而其参数仅部分匹配标准曲线参数,那么此证书是可疑的。特别是当其包含一个被信任的证书的公钥,并展现出漏洞利用尝试时。
0x04 时间线
2020-01-14 微软官方发布安全公告
2020-01-15 360CERT发布通告
2020-01-16 漏洞POC公开
2020-01-16 360CERT发布简要分析
2020-01-16 360CERT发布修复指南
0x05 参考链接
CVE-2020-0601 Windows CryptoAPI验证绕过漏洞原理简要分析
CVE-2020-0601 Windows CryptoAPI验证绕过漏洞通告
Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers
文章原文链接:https://www.anquanke.com/post/id/197409
