January 16, 2020 by Richard Bejtlich
On Tuesday, Jan. 14, 2020, the world learned of the vulnerability du jour, CVE-2020-0601. As explained by Microsoft, “a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.” This blog post is not about the vulnerability. Rather, it’s about how leveraging the power of the Zeek community can benefit defenders.
The same day — within hours — a long time member of the open source Zeek community, Johanna Amann*, released a Zeek package to detect CVE-2020-0601. She published details to the public Zeek mailing list and to the Zeek blog. She also shared working code to her Github account. The script is only 40 lines and as far as I can tell, as of this writing, it is the only free, published, network-based method to detect exploitation of the vulnerability, according to this blue team cheat sheet. (Note: It appears there are Snort and Suricata rules available for paying customers of Cisco and Emerging Threats Labs, respectively.)
I am impressed by this activity because it demonstrates a couple properties of the Zeek network security monitoring platform that might at first be ignored. For example, I am often asked to explain the differences between a NetFlow capability and Corelight or open source Zeek. I hope it is obvious that a NetFlow product is not relevant to the discussion around detecting the exploitation of this vulnerability, without severe customization, and it would perhaps still not be possible. (I welcome any comments about this, showing how it could be done.)
The reason Zeek is so different is that it is essentially a programming language, currently being used for a network-specific application. As such, a programmer like Johanna can leverage this language to create a detection script in a fairly rapid manner. Furthermore, a person with some familiarity with programming can review the script to determine what it does, building confidence in its effectiveness.
A second and perhaps more important property demonstrated by this development is the ability to release detection capabilities to the world, and solicit feedback for improvements and related applications. It is exciting to see people collaborating to mitigate the impact of a serious security problem, using code that anyone can try and run for free. As we continue to develop the cyber security work force, it will be increasingly important to train staff in tools that they can be sure to bring from one location to another. An open source project like Zeek and tools that utilize it like Corelight are just what modern network security practitioners need.
Let us know if you’re able to find anything suspicious with Johanna’s code!
*Full disclosure, Johanna is a software engineer at Corelight.