• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Logo
  • About
  • Bulletins
  • Corelight.com
  • Contact us

Bright Ideas Blog

Bright Ideas Blog

Bright Ideas Blog

Home ›› Network Security Monitoring ›› Day 1 detection: CVE-2020-0601, a community, and 40 lines of code

Day 1 detection: CVE-2020-0601, a community, and 40 lines of code

January 17, 2020 by Richard Bejtlich

By Richard Bejtlich, Principal Security Strategist, Corelight

On Tuesday, Jan. 14, 2020, the world learned of the vulnerability du jour, CVE-2020-0601. As explained by Microsoft, “a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.” This blog post is not about the vulnerability. Rather, it’s about how leveraging the power of the Zeek community can benefit defenders.

The same day — within hours — a long time member of the open source Zeek community, Johanna Amann*, released a Zeek package to detect CVE-2020-0601. She published details to the public Zeek mailing list and to the Zeek blog. She also shared working code to her Github account. The script is only 40 lines and as far as I can tell, as of this writing, it is the only free, published, network-based method to detect exploitation of the vulnerability, according to this blue team cheat sheet. (Note: It appears there are Snort and Suricata rules available for paying customers of Cisco and Emerging Threats Labs, respectively.) 

I am impressed by this activity because it demonstrates a couple properties of the Zeek network security monitoring platform that might at first be ignored. For example, I am often asked to explain the differences between a NetFlow capability and Corelight or open source Zeek. I hope it is obvious that a NetFlow product is not relevant to the discussion around detecting the exploitation of this vulnerability, without severe customization, and it would perhaps still not be possible. (I welcome any comments about this, showing how it could be done.) 

The reason Zeek is so different is that it is essentially a programming language, currently being used for a network-specific application. As such, a programmer like Johanna can leverage this language to create a detection script in a fairly rapid manner. Furthermore, a person with some familiarity with programming can review the script to determine what it does, building confidence in its effectiveness.

A second and perhaps more important property demonstrated by this development is the ability to release detection capabilities to the world, and solicit feedback for improvements and related applications. It is exciting to see people collaborating to mitigate the impact of a serious security problem, using code that anyone can try and run for free. As we continue to develop the cyber security work force, it will be increasingly important to train staff in tools that they can be sure to bring from one location to another. An open source project like Zeek and tools that utilize it like Corelight are just what modern network security practitioners need.

Let us know if you’re able to find anything suspicious with Johanna’s code!

*Full disclosure, Johanna is a software engineer at Corelight.

Filed Under: Network Security Monitoring, Open Source Community, Zeek Tagged With: CVE-2020-0601, Elliptic Curve Cryptography, GitHub, microsoft, Netflow, Network Security Monitoring, open source, open source community, Richard Bejtlich, vulnerability, Windows CryptoAPI, Zeek

Contact

  • Contact Us
  • Find a Reseller
  • Headquarters+1(510) 281-0760
  • Sales+1(888) 547-9497

Primary Sidebar

Search

Recent Posts

  • Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example
  • Finding SUNBURST backdoor with Zeek logs & Corelight
  • Introducing the Cloud Sensor for GCP
  • Who’s your fridge talking to at night?
  • Small, fast and easy. Pick any three.

Categories

Archives

Tags

Bro conn.log Corelight Corelight Sensor cybersecurity DNS Elastic encrypted traffic encryption files.log GitHub HTTP HTTPS incident response ja3 ja3s JSON Linux logs MITRE ATT&CK NDR network security Network Security Monitoring network traffic analysis network visibility NSM NTA open source open source community PCAP Richard Bejtlich SANS SIEM SMTP SOC Splunk SSH SSL ssl.log Suricata TCP TLS TLS 1.3 Vern Paxson Zeek

Footer

Use Cases

  • Our Use Cases
  • MITRE ATT&CK
  • Government
  • Enterprise
  • Higher Education
  • Why Corelight

Products

  • Zeek
  • Suricata
  • Collections
  • Appliance Sensors
  • Cloud Sensors
  • Software Sensor
  • Virtual Sensors
  • Fleet Manager
  • Compare to open Source Zeek

Company

  • About Corelight
  • Awards
  • Careers
  • Events
  • News Coverage
  • Media Kit

Resources

  • Support Overview
  • Open A Support Ticket
  • Product Training
  • Case Studies
  • Video
  • Github
  • Scripts + Packages
  • Zeek Community

Follow us

  • facebook
  • twitter
  • linkedin
  • github
  • reddit
  • youtube

Copyright © 2021 · Corelight, Inc. · All rights reserved. · Privacy Policy · Terms of Use