Skip to content
Zeek package that uses OpenSSL to detect CVE-2020-0601 exploit attempts
C Zeek Other
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
scripts
src
testing
.gitignore
CMakeLists.txt Make a (hopefully) 100% accurate test using OpenSSL Jan 15, 2020
COPYING
LICENSE Make a (hopefully) 100% accurate test using OpenSSL Jan 15, 2020
Makefile Make a (hopefully) 100% accurate test using OpenSSL Jan 15, 2020
README Make a (hopefully) 100% accurate test using OpenSSL Jan 15, 2020
Readme.md
VERSION Make a (hopefully) 100% accurate test using OpenSSL Jan 15, 2020
configure
zkg.meta Make a (hopefully) 100% accurate test using OpenSSL Jan 15, 2020

Readme.md

Zeek test script for CVE-2020-0601

This script can detect exploit attempts for CVE-2020-0601. It performs a check to see if a known curve is used in a certificate - if this is not the case a notice is raised.

Example notice in notice.log:

1579043477.791522	CHhAvVGS1DHFjwGM9	192.241.209.49	46110	192.241.202.21	4433	F37z6n1B8zn1fZjpj	application/x-x509-user-cert	192.241.202.21:4433/tcp	tcp	CVE_2020_0601::Unknown_X509_Curve	ECC certificate with unknown curve; potential CVE-2020-0601 exploit attempt	Curve validation code: 0	192.241.209.49	192.241.202.21	4433	-	-Notice::ACTION_LOG	3600.000000	-	-	-	-	-

To log suspicious certificates please use

redef CVE_2020_0601::log_certs = T;

in your local.bro/local.zeek to turn on extraction. Once this is turned on, suspicoous certificates will be logged to a new cve-2020-0601-certs.log file.

Important note:

This script requires OpenSSL 1.1.1. It uses OpenSSL functionality to test if a curve contained in a certificate is a well-known curve or not.

Please note that it is very possible that this test is overkill. If you want a simpler script, which does not require loading compiled C-code into your Zeek installation, take at the repository in https://github.com/0xxon/cve-2020-0601, which uses a pure scripting solution. The pure script solution has a higher potential false positive rate - but I currently do not have any reports of false positives.

I currently have no plans to make a version of this package that compiles against older versions of OpenSSL.

You can’t perform that action at this time.