Skip to content

Zeek script to detect servers vulnerable to CVE-2020-13777

License

Notifications You must be signed in to change notification settings

0xxon/cve-2020-13777

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Zeek test script for CVE-2020-13777

This script performs a simple test to check if a server is potentially vulnerable to CVE-2020-13777.

CVE-2020-13777 causes GnuTLS to create unencrypted session tickets. This seems to be detectable by checking gnutls sets the key_name to zero - for which it uses the first 16 bytes of the session-ticket. This script checks if:

  • A server sends a suspicious session ticket
  • A client resumes a connection to a server succesfully with a suspicious session ticket

Both cases indicate that a server is employing a vulnerable version of GnuTLS.

Found cases are written to notice.log. Example output:

1591660828.497706	CHhAvVGS1DHFjwGM9	::1	58800	::1	5556	-	-	-	tcp	CVE_2020_13777::CVE_2020_13777_Server	Server potentially vulnerable to CVE-2020-13777 detected	-	::1	::1	5556	-	-	Notice::ACTION_LOG	3600.000000	-	-	-	-	-
1591660837.423412	ClEkJM2Vm5giqnMf4h	::1	58802	::1	5556	-	-	-	tcp	CVE_2020_13777::CVE_2020_13777_Resumed	Server potentially vulnerable to CVE-2020-13777 detected; client resumed with suspicious session ticket	-	::1	::1	5556	-	-	Notice::ACTION_LOG	3600.000000	-	-	-	-	-

Notice are deduplicated and only logged once per default_suppression_interval (default: 1 hour) for each server.

To install via zkg, just use

zkg install 0xxon/cve-2020-0601

Note:

This script only works for TLS 1.2 (or below) connections. It will not alert on vulnerable servers that use TLS 1.3. The

Disclaimer:

This script has not been extensively tested. It works with my self-generated test-data and should find vulnerable servers. There is a chance that it will raise false positives with different server software, but this is somewhat unlikely.

About

Zeek script to detect servers vulnerable to CVE-2020-13777

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published