by: John Simpson (Vulnerability Researcher)
The first Microsoft patch Tuesday of 2020 contained fixes for CVE-2020-0601, a vulnerability discovered by the United States’ National Security Agency (NSA) that affects how cryptographic certificates are verified by one of the core cryptography libraries in Windows that make up part of the CryptoAPI system. Dubbed CurveBall or “Chain of Fools,” an attacker exploiting this vulnerability could potentially create their own cryptographic certificates that appear to originate from a legitimate certificate that is fully trusted by Windows by default.
Within a couple days of the disclosure, public Proof of Concepts (PoCs) began surfacing. Along with this came several explanations regarding the Elliptic Curve Cryptography (ECC) concepts involved with the vulnerability.
In contrast, this post will primarily highlight the code-level root cause analysis of the vulnerability in the context of how applications are likely to use CryptoAPI to handle certificates — more specifically in the context of applications communicating via Transport Layer Security (TLS).
However, before diving into the code, let’s take a high level look at certificates and elliptic curve cryptography.
Certificates
X.509 is an International Telecommunication Union (ITU) standard specifying the structure of public-key certificates using the ASN.1 notation. Basically, a certificate is a sequence containing three “first layer” items: the certificate, a signature algorithm identifier, and the signature verifying the authenticity of the certificate. This structure is expressed by the following ASN.1 snippet:
){kind=link}