This article is more than 1 year old

Bad news: Windows security cert SNAFU exploits are all over the web now. Also bad: Citrix gateway hole mitigations don't work for older kit

Good news: There is none. Well, apart from you can at least fully patch the Microsoft blunder

Vid Easy-to-use exploits have emerged online for two high-profile security vulnerabilities, namely the Windows certificate spoofing bug and the Citrix VPN gateway hole. If you haven't taken mitigation steps by now, you're about to have a bad time.

While IT admins can use the proof-of-concept exploit code to check their own systems are secure, miscreants can use them to, in the case of Citrix, hijack remote systems, or in the case of Windows, masquerade malware as legit apps or potentially intercept encrypted web traffic. Patches are available from Microsoft for the Windows vulnerability and should be deployed as soon as possible.

For Citrix, it will not be fully patched until January 20, and in the meantime, in certain cases, the official mitigations are not sufficient to thwart all methods of exploitation. There are an estimated 120,000 or more potentially vulnerable boxen on the open internet.

Windows smashed

Within hours of the NSA going public with details about its prized bug find, exploit writers posted working code demonstrating how the flaw can be abused to trick unpatched Windows computers into accepting fake digital certificates – which are used to verify the legitimacy of software, and encrypt web connections.

The vulnerability, CVE-2020-0601, lies within the crypt32.dll library in Windows 10 as well as Server 2016 and 2019. For what it's worth, the bug occurs when matching an attacker-supplied certificate to a cached trusted cert held in an internal data structure. It's a logic flaw – the attacker's cert is incorrectly checked – rather than a cryptographic or mathematical weakness.

A man wearing a VR headset in the year 2020

Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows cert-spoofing bugs, RDP flaws...


One proof-of-concept code sample available to all is a tiny package of just 50-or-so lines of Python. Despite the ease with which the exploit is able to do its work, the author, Yolan Romailler at Swiss security shop Kudelski, said people shouldn't panic over the network traffic eavesdropping aspect of CVE-2020-0601: a snoop has to be able to intercept your connections.

"In the end, please keep in mind that such a vulnerability is not at risk of being exploited by script kiddies or ransomware," notes Romailler in his detailed write-up of the bug.

"While it is still a big problem because it could have allowed a man-in-the-middle attack against any website, you would need to face an adversary that owns the network on which you operate, which is possible for nation-state adversaries, but less so for a script kiddie.

"This is also probably why the NSA decided not to weaponize their finding, but to rather disclose it: for them it is best to have the USA patched rather than to keep it and take the risk of it being used against the USA, as the attack surface is so vast."

As for the nitty-gritty of the bug, Romailler summarized it thus:

Specifically, it is possible to craft a private key for an existing public key, as soon as you are not using the standard generator, but instead can choose any generator. And you can choose you own generator in X.509 certificates by using an “explicit parameters” option to set it.

And because then the CryptoAPI seems to match the certificate with the one it has in cache without checking that the provided generator actually matches the standardized one, it will actually trust the certificate as if it had been correctly signed. (Although not entirely, as the system still detects that the root certificate is not the same as the one in the root CA store. That is: you won’t get these nice green locks you all wanted in your URL bar, but you’ll still get a lock without any warning, unlike when using a self-signed certificate, even if you just crafted that certificate yourself.)

Meanwhile, infosec outfit Trail of Bits has dubbed the flaw Whose Curve Is It Anyway? along with a logo and website, which features a proof-of-concept attack, as is customary these days. The biz succinctly summed up the bug thus:

At a high level, this vulnerability takes advantage of the fact that Crypt32.dll fails to properly check that the elliptic curve parameters specified in a provided root certificate match those known to Microsoft.

There's more technical info here. And you can find another proof-of-concept exploit here with a signed and unsigned 7z.exe file as an example.


Things are less straightforward when it comes to the other major security bug dominating the news in the past week. The Citrix VPN gateway bug CVE-2019-19781, dubbed Shitrix by the infosec community, is under active exploit in the wild. Worse yet, Citrix has admitted that, for some installations running older firmware, its recommended mitigation techniques are not holding up against exploits. If you're using Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31, you should try to upgrade your version.

Better yet, you should configure your network monitoring to catch attempts to exploit the software. A SANS ISC video describing the security snafu is below.

Youtube Video

An alert from the Dutch National Cyber Security Centre advises organizations that run Citrix ADC and Gateway boxes to consider turning off the machines entirely until the full-scale patch from Citrix is released on January 20.

"If the impact of switching off the Citrix ADC and Gateway servers is not acceptable, the advice is to closely monitor for possible abuse," a translation of the alert reads. "As a last risk-limiting measure you can still look at whitelisting of specific IP addresses or IP blocks."

As for exploits, you can find one proof-of-concept sample here. ®

More about


Send us news

Other stories you might like