Certified and Undermined: The CVE-2020-1601 Security Flaw
On January 14, 2020, the U.S. National Security Agency (NSA) took the extraordinary step of publicly announcing it had discovered a vulnerability in the Windows 10 operating system. This flaw (tracked as CVE-2020-0601 and later given the name “Curveball”) compromised Window’s CryptoAPI, used to verify digital certificates. Digital certificates – and the ability of other digital tools to verify them – is fundamental to cybersecurity infrastructure, as it is a foundation that security tools (as well as other software and applications) rely upon. The severity and extent of the potential impact and risk stemming from “Curveball” are most likely behind the NSA’s rare decision to expose, share and announce it with Microsoft and the world.
To understand why ”Curveball” is so dangerous, we need to talk about certificates and why they’re essential to cybersecurity.
Certificates are the Passports of the Internet (and much more...)
Every day billions of people use the web which has terabytes of data flowing throughout it. For that data to get where it needs to go, it needs to get accepted by the recipient. Certificates are the mechanism by which digital applications verify the identity of the sender, giving the recipient confidence that the sender is a safe and legitimate source. They are also used to set-up secure, encrypted communication between parties, or to attest to a file’s owner/writer.
When we try to enter a country, we need to show our passports before they’ll let us in. The border control agents don’t know who you are, and therefore have to rely on your passport. Your passport is therefore issued with a degree of authority, it is trusted as having the highest level of credibility, absent signs of forgery, attesting to who you say you are. Border control officers look for those signs when they inspect your passport. Perhaps an official seal is missing or has an error. Maybe the information isn't presented correctly. Unless the border agent sees such an anomaly, the information on the passport is assumed to be credible. Of course, it doesn’t mean you’d be allowed to enter, but the decision will be based on your passport, its issuer (namely your country) and your identity as specified by the passport. A passport opens the gateway.
Digital certificates operate the same way. For example, when we try to establish an encrypted session on a website or install a driver, they must have a valid digital signature certificate, issued and further signed by a certificate authority. As Windows is the OS that provides the most widely used interface to verify the validity and authenticity of the certificates, it serves as our main border control agent. If your system couldn't properly verify and authenticate a digital certificate – you have a problem. Especially, if it can be fooled by a forged certificate. And this is what “Curveball” is all about - the bad actor's ability to exploit that mechanism. “Curveball” means a capable attacker can send a file that appears to be a Microsoft file (or another highly trusted software vendor), but in fact runs a malware dropper on your system when you click on it. Nearly all our online activity – files, data, communications - use certificates behind the scenes and therefore are potentially vulnerable.
This vulnerability in the CryptoAPI had the potential to create a “digital signature [that] would appear to be from a trusted provider.” The potential to spoof digital certificates raises an unprecedented risk to cybersecurity. Hackers trying to steal a valid digital certificate is a known tactic that cybersecurity tools help thwart. However, being able to spoof a perfectly valid certificate is a game-changer. Consequently, users and networks that trust the legitimate- appearing digital signature would’ve been allowing that malware into their systems.
Without being able to verify a digital signature on a certificate, it is impossible for machines, networks, and applications to communicate safely and securely. This includes cybersecurity tools that wouldn’t be able to operate on the premise that a certificate is valid or issuing valid signatures. In other words, the ability to fabricate certificates would usher in a state of chaos. There would be no underlying security framework that analyzes this underlying basis of trust.
Now you can understand why the NSA went public with its discovery. While there's no evidence that anyone exploited this vulnerability, it's still a potential hazard that demands immediate attention. Windows had rolled out a security patch, which your computer has probably since updated. However the catch is, now that bad actors know about this vulnerability, it’s mostly a question of “when” and not “if” they will try to exploit it on unpatched machines and environments.
In summary, the first order of the day is to patch. This remains to be the only practical and reliable remedy to this vulnerability. Beyond that are solutions that will require industry-wide collective partnership and co-operation to minimize the impact of this vulnerability and ensure ongoing protection. Curevball, unlike nothing before it, taught us an important lesson in the vulnerability having single points of failure. It taught us about the underlying principles of trust which the entire cybersecurity ecosystem relies upon. Lastly, it taught us about the importance of agility and quick adaptation to change in today’s digital era, primarily the process from patch management to adopting new technologies for more comprehensive security. If fortification is going to happen it will need to be through this newly acquired insight.