Zeek test script for CVE-2020-0601

This script can detect exploit attempts for CVE-2020-0601. It performs a check to see if a known curve is used in a certificate - if this is not the case a notice is raised.

Example notice in notice.log:

1579043477.791522	CHhAvVGS1DHFjwGM9	192.241.209.49	46110	192.241.202.21	4433	F37z6n1B8zn1fZjpj	application/x-x509-user-cert	192.241.202.21:4433/tcp	tcp	CVE_2020_0601::Unknown_X509_Curve	ECC certificate with unknown curve; potential CVE-2020-0601 exploit attempt	Curve validation code: 0	192.241.209.49	192.241.202.21	4433	-	-Notice::ACTION_LOG	3600.000000	-	-	-	-	-

To log suspicious certificates please use

redef CVE_2020_0601::log_certs = T;

in your local.bro/local.zeek to turn on extraction. Once this is turned on, suspicoous certificates will be logged to a new cve-2020-0601-certs.log file.

Important note:

This script requires OpenSSL 1.1.1. It uses OpenSSL functionality to test if a curve contained in a certificate is a well-known curve or not.

Please note that it is very possible that this test is overkill. If you want a simpler script, which does not require loading compiled C-code into your Zeek installation, take at the repository in https://github.com/0xxon/cve-2020-0601, which uses a pure scripting solution. The pure script solution has a higher potential false positive rate - but I currently do not have any reports of false positives.

I currently have no plans to make a version of this package that compiles against older versions of OpenSSL.