Zeek test script for CVE-2020-0601
This script can detect exploit attempts for CVE-2020-0601. It performs a check to see if a known curve is used in a certificate - if this is not the case a notice is raised.
Example notice in notice.log:
1579043477.791522 CHhAvVGS1DHFjwGM9 188.8.131.52 46110 184.108.40.206 4433 F37z6n1B8zn1fZjpj application/x-x509-user-cert 220.127.116.11:4433/tcp tcp CVE_2020_0601::Unknown_X509_Curve ECC certificate with unknown curve; potential CVE-2020-0601 exploit attempt Curve validation code: 0 18.104.22.168 22.214.171.124 4433 - -Notice::ACTION_LOG 3600.000000 - - - - -
To log suspicious certificates please use
redef CVE_2020_0601::log_certs = T;
in your local.bro/local.zeek to turn on extraction. Once this is turned on, suspicoous certificates will be logged to a new cve-2020-0601-certs.log file.
This script requires OpenSSL 1.1.1. It uses OpenSSL functionality to test if a curve contained in a certificate is a well-known curve or not.
Please note that it is very possible that this test is overkill. If you want a simpler script, which does not require loading compiled C-code into your Zeek installation, take at the repository in https://github.com/0xxon/cve-2020-0601, which uses a pure scripting solution. The pure script solution has a higher potential false positive rate - but I currently do not have any reports of false positives.
I currently have no plans to make a version of this package that compiles against older versions of OpenSSL.