A Look at CurveBall, the CryptoAPI Spoofing Vulnerability

Matt Evans
| 1/28/2020
A Look at CurveBall, the CryptoAPI Spoofing Vulnerability

A new vulnerability is showing how easily bad actors can use technology to manipulate us. When most people think of an exploit, they think of the kind that bypasses controls, causes loss of information, or allows attackers to take control of a system. However, this new vulnerability goes one step further by attacking the trust relationship that we all take for granted when we use technology.

Security advisories and updates

On Jan. 14, 2020, the National Security Agency (NSA) issued an advisory alerting the public about a new vulnerability. The advisory notes that the NSA disclosed to Microsoft details about the discovery of CVE-2020-0601, also known as “CurveBall,” “NSACrypt,” and “ChainOfFools.” The vulnerability exists because of a flaw in the way the Microsoft Windows™ CryptoAPI application (Crypt32.dll) validates elliptic curve cryptography (ECC) certificates.

Microsoft issued a security advisory about CVE-2020-0601 that describes the flaw as such: “An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”

Vulnerable operating systems include Windows 10, Server 2016, and Server 2019. To emphasize the severity of the flaw, Microsoft estimates the number of active Windows 10 devices at just under 1 billion. That number does not include servers running 2016 or 2019. Microsoft worked with the NSA and issued a patch before the vulnerability was made public – another indicator of the vulnerability’s severity when compared to the handling of other NSA disclosures.

An abuse of trust

CVE-2020-0601, or CurveBall, is a stark reminder that trust is one of the most important aspects of modern technology. Without it, attackers and bad actors can falsify information with no way for end users to verify authenticity.

Several proof-of-concept (POC) code examples exist on GitHub, making it easy for adversaries to modify existing code and launch attacks against unpatched systems. Shortly after the advisory and patch for CurveBall were released, security researcher Saleem Rashid demonstrated how quickly and easily trust can be manipulated using the POC by spoofing GitHub and the NSA’s websites. The demonstration shows Rick Astley’s “Never Gonna Give You Up” playing on a seemingly legitimate version of each organization’s website. The trust violation is clear, as each site presents a valid certificate via the exploit.

CurveBall, certificates, and signed viruses

Attackers have abused trust for years using valid certificates on fake websites to increase the effectiveness of their attacks, but CurveBall goes beyond registering a fake website with a legitimate certificate. Instead, attackers can create valid certificates that perfectly mimic those issued by legitimate publishers.

Many attacks associated with CurveBall involve sending users to a seemingly secure version of a popular website. But those domain names have already been registered. That means these attacks are limited in reach because an attacker would have to be on the network or modify system files to present the user with the same exact domain name.

However, attacks in which users receive malicious software that appears to have been signed by a legitimate source are more concerning. For example, if attackers deliver a virus “signed” by Microsoft, they can take advantage of the inherent trust users depend on: an operating system that validates the authenticity of programs.

Certificates are a critical component of the internet and of digital communications. They create a layer of trust between devices and individuals to validate the integrity and the identity of information. When trust is compromised, our assumption of what is secure is challenged, which is what makes CurveBall particularly concerning. Because the flaw itself is part of the operating system and not a web browser, trust is broken not only between websites but between applications as well.

How to mitigate risk

According to an NSA statement, the security update released by Microsoft is “the only comprehensive means to mitigate the risk. While means exist to detect or prevent some forms of exploitation, none of them are complete or fully reliable.”

Another compensating control is the use of a non-Microsoft inspection proxy. This device validates certificates coming from websites and blocks anything that is found to be invalid. This feature means the exploit will fail before reaching potentially vulnerable Windows endpoints.

In its advisory, the NSA explains that attempts to exploit the flaw can be found by inspecting network traffic and extracting the certificate. It recommends using tools such as OpenSSL and Windows Certutil.exe to look at the elliptic curve parameters that will match only partially in modified certificates.

Fake signatures as the mode of attack

While there have not been massive reports of attacks occurring in the wild, all the pieces are in place, and real damage is bound to be done. It is easy to imagine situations where the flaw is exploited to perform advanced man-in-the-middle attacks using a proxy to present spoofed websites with valid certificates. Another possibility is an attack in which a virus or a piece of malicious software is sent to a user with a fake signature that makes it appear as a valid program.

Security researcher and famous malware author Benjamin Delpy (@gentilkiwi) has demonstrated these use cases and has used the vulnerability to spoof digitally signed emails meant to verify a sender’s legitimacy, sign macro code in Microsoft Word documents, and even run PowerShell code unabated. All these exemplify an abuse of our inherent trust in the internet and its underlying cryptography, and that breach of trust is what makes this vulnerability particularly impactful and potentially devastating.

Next steps

Organizations using Windows 10, Server 2019, or Server 2016 are strongly encouraged to update their systems immediately. Everything needed for an attacker to attempt exploitation is already available, and it is only a matter of time before organizations are targeted and the existing POCs are weaponized. To read more about optimizing your organization’s cybersecurity, check out previous posts on best practices and reducing dwell time.

Addressing this vulnerability is also an opportunity to revisit how emergency patches are deployed in Windows environments, as attackers do not typically wait for defenders to fulfill monthly patching cycles before levying attacks. In the meantime, be careful who you trust – that little green lock might be deceiving.


Microsoft and Microsoft Windows are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.