Until recently I always used pfSense with the OpenBGPD package as the NSX-T Edge counterpart in my lab environment. It’s quick and easy to set up and works well enough. But pfSense is not what I typically find in a customer’s production environment. I started to investigate other virtualized “top-of-rack solutions” for the lab that…
I haven’t posted here in a while, but I figure this is the best spot a very quick post on for this given it isn’t officially supported. With the release of the vSAN 6.7 P01 Witness Appliance, the OVA now prompts for OVF properties. These additional settings are read upon boot up, and automatically configure networking for the appliance. This streamlines the vSAN Witness Appliance deployment process significantly. I blogged about this here: https://blogs.vmware.com/virtualblocks/2019/11/07/vswa-67p01-update/ Importing pre-vSAN 6.7 P01 vSAN Witness…
The biggest telco event of the year, Mobile World Congress, is fast approaching, and of course, VMware will be participating, exhibiting, and presenting our innovative telco cloud solutions in Barcelona. But what if you can’t wait till the end of February to hear what we’ve got in store? Well, you’re in luck. We have a […]
The post 4 VMware Telco Events to Get You Ready for MWC Barcelona 2020 appeared first on VMware Telco NFV Blog.
Last 24 hours have been extremely interesting – this month’s patch Tuesday by Microsoft brought to us 2 very interesting (and critical) vulnerabilities. The first one, the “BlueKeep” like remote code execution vulnerability in Remote Desktop Gateway (CVE-2020-0609, CVE-2020-0610) has been kind of ignored, although it’s really critical … so I guess I’ll continue doing that in this diary (but rest assured that we are keeping an eye on the RDG vulnerability as well).
This diary is about the vulnerability in Windows CryptoAPI, CVE-2020-0601, that everyone has been talking about; we decided to sum up known and tested information so far.
The vulnerability exists in the Windows CryptoAPI component (Crypt32.dll), specifically in the part that is used to validate Elliptic Curve Cryptography (ECC) certificates. Due to a serious bug in code, ECC certificates are not properly verified – there have been several posts about why this fails (i.e. the one here), but the bottom line is that it is trivial to use an existing Certificate Authority (that must be using ECC) to create a spoofed certificate. It took only hours for first proof of concept certificates to be released, and we can confirm now that it is trivial to create such certificates. So, what can an attacker do with this?
While certificates are used for all sorts of things, the two most common ways of abusing the vulnerability are probably through spoofing web certificates and digital signatures for binaries on Windows. Let’s address those.
Spoofing web certificates
In order to spoof a certificate, an attacker will typically want to pick an ECC CA that comes bundled with Windows. There are several such certificates, and in examples below I used Microsoft ECC Product Root Certificate Authority 2018 which comes installed by default (and for bonus, it’s a Microsoft’s CA).
Due to vulnerability being in the way ECC certificates are verified, in the process of creating the spoofed certificate, the attacker takes the public key from the CA and creates a fake CA, where the public key will be the same, but it will use different generator (G) for the curve. Normally, this should be rejected due to the generator not being the original one, but Crypto32.dll fails to do that and, as long as the public key matches the original CA will accept the certificate.
We have generated several such certificates and put a test site that you can use to see if you are vulnerable. The test site is available at https://curveballtest.com/index.html – once you open it, there is a special style sheet loaded from a site using such a fake certificate. If it renders, you will see a message saying that you are vulnerable, as below:
Now, this will by default work only in Internet Explorer and Edge on Windows. Mozilla Firefox does not use Crypt32.dll to verify certificates and does not have the same bug.
Google Chrome does use Crypt32.dll, however it tries to verify every certificate in Certificate Transparency log, which is another safety feature in Chrome. That being said, Google introduced that feature for all certificates issued after May 1, 2018.
Hmmm .. and we’re faking certificates, aren’t we? So, how about we issue a certificate before that date, let’s say 24.3.2018. And voila – it works in Google Chrome out of box as well!
The maximum validity for a certificate that Chrome allows is about 27 months – enough for us
Google was fast addressing this – with the latest release of Chrome, released today (Thursday, 16/1/2020) they added additional checks for Chrome so make sure you update Chrome as well!
Finally, the vulnerability exists only on Windows 10 and Windows Server 2016 and 2019 – other Windows OSes do not support ECC certificates so they are safe.
Once you visit such a site with a vulnerable OS (and IE or Edge), the certificate will be correctly validated, although certificate details in IE will be weird, as you can see below:
Edge is actually even worse – there isn’t a single sign of a certificate being spoofed:
Ok, so it is bad, but how bad is it? Remember that while an attacker can spoof a certificate, he/she still has to get the victim to visit the web site. In other words, if we spoof certificate for isc.sans.edu, we must get the victim to connect to the IP address of a malicious server (with the spoofed certificate). This means that a prerequisite for the attack is some kind of Man-in-the-Middle between the legitimate site and the victim, or some kind of DNS poisoning which will make the victim visit the attacker’s server.
I would say that this decreases a risk a bit – sure, an attacker can use social engineering or phishing techniques, but in such an attack the final domain will be fake anyway (i.e. isc.sans.edu.malicious.com).
Spoofing digital signatures for binaries
Besides web sites, binaries are nowadays commonly signed. Actually, a lot of endpoint security software will skip verifying correctly signed binaries and will blindly trust them. This is what makes this vulnerability more critical: if it’s possible for an attacker to spoof a certificate for a binary pretending to be Microsoft for example, then it might be possible to evade certain defenses.
We have successfully created such binaries and tested on both pre and post-patch machines and the results here were a bit more worrying.
On a non-patched machine, the digital signature shows as perfectly fine, as you can see in figures below:
Of course, it will run without any issues, as expected.
With the patch, besides fixing certificate validation, Microsoft also added a new event to Windows Event Log, that will warn when a binary with a fake certificate is executed. This is what the signature and the event log looks like on a patched machine:
However, the bad binary will still be executed on a patched machine, silently, without any warning except the event log above. This is a serious issue since the patch will not prevent such a maliciously signed binary from working, it will just create a log. Endpoint protection software should, hopefully, in this case correctly detect and block such an attempt.
Finally, if you just want to test for detection and create a fake Event Log as the one above, our handler Didier Stevens created a simple VBA program that will generate such an event.
The code is available on his blog, at https://blog.didierstevens.com/2020/01/15/using-cveeventwrite-from-vba-cve-2020-0601/
I liked the idea so I recreated it in Powershell (hey, it’s Posh), you can find equivalent PSH code below:
$MemberDefinition = '[DllImport("advapi32.dll", CharSet = CharSet.Unicode)] public static extern long CveEventWrite(string CveId, string AdditionalDetails);'
$Advapi32 = Add-Type -MemberDefinition $MemberDefinition -Name 'Advapi32' -Namespace 'Win32' -PassThru
[Win32.Advapi32]::CveEventWrite("[CVE-2020-0601] cert validation", "CA: SANS ISC, sha1: d4d0713782626a7320e77967f1578b386257de1f")
If you want to test with a real binary, Didier created a simple program that does nothing really except showing a window which we then signed with a fake certificate.
You can download it from here: https://curveballtest.com/SANSISC_signed.exe – once you start it, there should be an event created in Windows Event log (Application). Additionally, on a patched machine, when you start it as administrator, you should see a message about an incorrect signature.
To sum it up: it’s not the end of the world, but the vulnerability is serious: you should patch affected systems as soon as possible. Keep in mind that any other software that uses Crypt32.dll to verify ECC certificates is vulnerable, so it’s best that patching is not delayed.
We will be updating the diary as we get more information – of course, if you have something to share with us, let us know!
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
VMware is pleased to announce that vSAN, the only vSphere-native storage software, is a finalist in Storage Magazine’s Product of the Year competition for the newly created Hyper-converged and composable infrastructure category. We believe vSAN was chosen in part because of our significant investments in supporting cloud-native applications, enhancing vSAN performance and intelligent operations. According to
The post VMware vSAN a Finalist for Storage Magazine’s Product of the Year Award appeared first on Virtual Blocks.
I recently started using VS Code pretty heavily and I’ve had a fun time configuring it – especially getting synth wave glow working! One thing that continued to bother me was the Powershell Integrated Console (PIC) – which is different than a normal terminal running Powershell. Not only was it a different powershell session, but […]
Need a simple, cost-effective solution to your disaster recovery worries? Are your VMs not protected? VMs are protected but at high costs? Or just looking for a simple solution to expand your current protection with cloud-based disaster recovery? Then read on. 98% of organizations say a single hour of downtime costs over $100,000. Avoiding these
The post Webcast: Preventing Data Loss and Downtime with VMware vCloud Availability Powered DRaaS appeared first on VMware Cloud Provider Blog.
Continuing our Search Poster series, we’ve arrived at the Kubernetes Search Poster! Using the search engine inside VMware vRealize Network Insight can be a revealing experience. It has every single bit of data you ever wanted to see about anything in your infrastructure and it’s available at your fingertips. Because of the vast amount of
The post vRealize Network Insight Search Poster for Kubernetes appeared first on VMware Cloud Management.
This is one document to learn everything about NSX-T LB Configuration and Management.
NSX-T LB Encyclopedia
This document goes over all the Configuration and Management questions you may have on NSX-T LB and much more!
It lists all NSX-T LB capabilities (LB Deployment, Monitor, Server Pool, L4 VIP, L7-HTTP VIP, L7-HTTPS VIP, LB Rules, and Troubleshooting) with detailed examples for each.
In part 2 we highlight the native support for VMware Horizon 7 and higher environments in ControlUp 8.1. The integration is based on the SOAP API. Adding a VMware Horizon environment is easy, click on the Add EUC environment and enter the name a Horizon Connection Server and click ‘OK’. ControlUp discovers Horizon components such … Read more