Zeek test script for CVE-2020-13777
This script performs a simple test to check if a server is potentially vulnerable to CVE-2020-13777.
CVE-2020-13777 causes GnuTLS to create unencrypted session tickets. This seems to be detectable by checking gnutls sets the
`key_name` to zero - for which it uses the first 16 bytes of the session-ticket. This script checks if:
- A server sends a suspicious session ticket
- A client resumes a connection to a server succesfully with a suspicious session ticket
Both cases indicate that a server is employing a vulnerable version of GnuTLS.
Found cases are written to notice.log. Example output:
1591660828.497706 CHhAvVGS1DHFjwGM9 ::1 58800 ::1 5556 - - - tcp CVE_2020_13777::CVE_2020_13777_Server Server potentially vulnerable to CVE-2020-13777 detected - ::1 ::1 5556 - - Notice::ACTION_LOG 3600.000000 - - - - - 1591660837.423412 ClEkJM2Vm5giqnMf4h ::1 58802 ::1 5556 - - - tcp CVE_2020_13777::CVE_2020_13777_Resumed Server potentially vulnerable to CVE-2020-13777 detected; client resumed with suspicious session ticket - ::1 ::1 5556 - - Notice::ACTION_LOG 3600.000000 - - - - -
Notice are deduplicated and only logged once per default_suppression_interval (default: 1 hour) for each server.
To install via zkg, just use
zkg install 0xxon/cve-2020-0601
This script only works for TLS 1.2 (or below) connections. It will not alert on vulnerable servers that use TLS 1.3. The
This script has not been extensively tested. It works with my self-generated test-data and should find vulnerable servers. There is a chance that it will raise false positives with different server software, but this is somewhat unlikely.