Zeek test script for CVE-2020-0601

This script can detect exploit attempts for CVE-2020-0601. It performs a simple check to see if a known curve is used in a certificate - if this is not the case a notice is raised.

Example notice in notice.log:

1579043477.791522	CHhAvVGS1DHFjwGM9	46110	4433	F37z6n1B8zn1fZjpj	application/x-x509-user-cert	tcp	CVE_2020_0601::Unknown_X509_Curve	ECC certificate with unknown curve; potential CVE-2020-0601 exploit attempt	-	4433	-	-	Notice::ACTION_LOG	3600.000000	-	-	-	-	-

To log suspicious certificates please use

redef CVE_2020_0601::log_certs = T;

in your local.bro/local.zeek to turn on extraction. Once this is turned on, suspicious certificates will be logged to a new cve-2020-0601-certs.log file.

Important note:

This script requires an OpenSSL installation that automatically converts explicit curves to names while the certificate is parsed. Many versions of OpenSSL shipped by different Linux distributions do not seem to do that; I am currently a bit unsure of why this is the case.

Using OpenSSL versions with differing behavior will lead to a higher amount of false positives. The tests for this package will check OpenSSL behavior during installation; if the "explicit.bro" tests fails your version of OpenSSL does not behave as required.

In this case, the script will alert on all certificates that have explicit curve definitions too; these should be very very rare, but are not per se a problem.

There is a second version of this plugin available at The second version uses OpenSSL primitives to directly check a certificate curve. However, the plugin version requires OpenSSL 1.1.x - and requires C++ code to be built and loaded in your Zeek installation.

The advantages of the plugin version at are a higher accuracy - with more specific notices that give more information about an exploit attempt that was found. The disadvantages mostly are higher installation friction.


While this plugin successfully detects known POC code, it is possible (but unlikely) that another variant of the attack might not be detected.

Package Version :