NSA Bug Bounty? - ThreatWire CrossPost (Patreon)
Downloads
Content
By Shannon Morse, ThreatWire
Support me on alternative platforms! https://snubsie.com/support
Shop ThreatWire Merch! - https://snubsie.com/shop
https://www.youtube.com/shannonmorse -- subscribe to my new channel!
ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire
NSA found a Windows flaw:
https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
https://thehackernews.com/2020/01/warning-quickly-patch-new-critical.html
https://www.cyberscoop.com/windows-10-vulnerability-nsa-public-disclosure/
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
https://github.com/ollypwn/cve-2020-0601
https://threatpost.com/poc-exploits-published-for-microsoft-crypto-bug/151931/
https://threatpost.com/microsoft-patches-crypto-bug/151842/
It’s been almost a decade since the NSA’s PRISM surveillance program was leaked, and now it seems like the NSA is getting into… bug bounties? On the same day that Windows 7 lost it’s support from Microsoft, the US National Security Agency publicly disclosed that the tech giant had a serious flaw in Windows 10 that could allow attackers to spy on users. This crypto-spoofing bug more specifically would allow an attacker to create a fake security certificate, so they could run malicious code on the device without being flagged. It could also set up remote code execution attacks, man in the middle attacks, decrypt confidential info while compromising HTTPS authentication. One security researcher even announced that this could affect TLS or transport layer security, if this is used within apps for secure communications.
An attacker could extract a public key from a root certificate shipped with Windows by default and signed with ECC (more on that in a bit). From there, they could create a private key copying the legitimate private key. Windows fails to check a specific parameter for private keys, so a spoofed certificate isn’t flagged by any AV.
It is unknown how long the NSA deliberated on whether or not to disclose this flaw to Microsoft, nor when it was originally found. The NSA believes attackers could easily exploit it, so they decided to report it. The flaw was fixed in a push update as a part of Microsoft’s “Patch Tuesday”, so if you have automatic updates scheduled and enabled, you should already see an update happening if you haven’t already. At the time of the announcement, Microsoft believed that the bug hadn’t been actively exploited in the wild. The vulnerability was reported as CVE-2020-0601 and happens due to how Windows validates Elliptic Curve Cryptography or ECC certificates. And thus, the flaw was dubbed NSACrypt.
Just a day after this announcement, a security researcher was able to figure out how to use the flaw and spoofed the HTTPS certificates for both github.com and NSA.gov, so instead of returning the legitimate websites, users would see Rick Astley’s Never Gonna Give You Up, because rickrolling isn’t dead yet even though it’s 2020. The proof of concept would likely require some specific events to take place, like an active man in the middle attack or visiting a specific site, before it would work. With that said though, several other proof of concepts ended up popping up in the last week that even went so far as to share code.
To update manually, go to Windows Settings, choose Update and Security, Windows Update, then “check for updates on your PC”. This is the first time the NSA has come forward with a bug disclosure publicly and the director of the NSA’s Cybersecurity Directorate stated it was to raise awareness as well as build trust between the government sector and the tech sector.