Learn why Netskope debuted as a leader in the 2024 Gartner® Magic Quadrant™️ for Single-Vendor Secure Access Service Edge

Read how innovative customers are successfully navigating today’s changing networking & security landscape through the Netskope One platform.

Get the eBook

Learn about Netskope Partners

Group of diverse young professionals smiling

Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview

Netskope Next Gen SASE Branch converges Context-Aware SASE Fabric, Zero-Trust Hybrid Security, and SkopeAI-powered Cloud Orchestrator into a unified cloud offering, ushering in a fully modernized branch experience for the borderless enterprise.

Learn about Next Gen SASE Branch

Get your complimentary copy of the only guide to SASE design you’ll ever need.

Get the eBook

Learn about NewEdge

Lighted highway through mountainside switchbacks

Learn how we secure generative AI use

Learn about Zero Trust

Choose Netskope GovCloud to accelerate your agency’s transformation.

Learn about Netskope GovCloud

2025 Predictions
In this episode of Security Visionaries, we're joined by Kiersten Todt, President at Wondros and former Chief of Staff for the Cybersecurity and Infrastructure Security Agency (CISA) to discuss predictions for 2025 and beyond.

Play the podcast Browse all podcasts

Read how Netskope can enable the Zero Trust and SASE journey through secure access service edge (SASE) capabilities.

Read the blog

Learn how to navigate the latest advancements in SASE and zero trust and explore how these frameworks are adapting to address cybersecurity and infrastructure challenges

Explore sessions

Learn about the future convergence of networking and security tools in today’s cloud dominant business model.

Learn about SASE

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more

Supporting Sustainability Through Data Security

At Netskope, founders and leaders work shoulder-to-shoulder with their colleagues, even the most renowned experts check their egos at the door, and the best ideas win.

Join the team

Go to Customer Solutions

Learn about Training and Certifications

Microsoft CryptoAPI Spoofing (CVE-2020-0601)

Request Demo

Trust Me…

We’ve all gotten used to a trust model on the Internet, and it’s mostly worked. We trust we have a private connection to a website because of the HTTPS certificates presented by the server and verified by our browser. Our browsers are fairly good at warning us when there is a problem, like invalid certificates. So, we confidently send credit card numbers, bank account information, and other information over the Internet, knowing that these technologies will keep us safe.

… or Not

CVS-2020-0601 has turned our trust model upside down. Not because of the design of the crypto/certificate chain of SSL/HTTPS, but because an implementation of the certificate checking on some Windows systems is flawed, failing to detect invalid, spoofed certificates.

Like a fictitious face mask from Mission Impossible, attackers can easily spoof a valid certificate, presenting to you what looks like a valid certificate signed from a trusted authority, with no warnings, no errors from your browser.

CVE-2020-0601

On Tuesday, January 14, 2020, Microsoft issued a security update addressing several patches, including a fix for CVE-2020-0601, a critical vulnerability in the Microsoft CryptoAPI (crypt32.dll) discovered and reported by NSA. The fix ensures that the Windows CryptoAPI library completely and properly validates ECC certificates (commonly used in X.509 certificates).

CVE-2020-0601 is a vulnerability in the Windows cryptographic library crypt32.dll, which implements many of the certificate and cryptographic messaging functions in the CryptoAPI, such as encrypting and decrypting data using digital certificates and validating the Elliptic Curve Cryptography (ECC) certificates.

CVE-2020-0601, also referred to as CurveBall, is a spoofing vulnerability or flaw in the way the certificates are loaded without a proper verification of the explicit curve parameters in the certificates. This allows an attacker to supply his own generated X.509 certificates by using an “explicit parameters” option to set it.

This affects Windows 10 endpoints and Windows Server 2016/2019, allowing spoofing of certificates used in trust validation:

HTTPS connections
Signed files and emails
Signed executable code processes

From an adversarial context, Curveball X.509 cert chain validation is susceptible to:

MITM Attacks: HTTPS/SSL certificate authorities can be spoofed without being detected thereby allowing MITM attacks from a fake server which appears to have a validly signed HTTPS/SSL certificate.
Signed File/Malware Attack: Root certificate authorities like MicrosoftECCProductRootCertificateAuthority.cer can be spoofed without being detected thereby allowing malware to appear to be signed by a valid authority.

Netskope Protection

Netskope protects clients from HTTPS/SSL MITM attacks arising from this vulnerability through our Next-Gen Secure Web Gateway. Even if you are using vulnerable software and accessing a server that is trying to exploit this vulnerability, you will be protected. Netskope properly validates the server certificates, ensuring that the exploit never reaches the client.

Recommendation

We strongly recommended upgrading the machines to the latest security update provided by Microsoft.

To verify whether you are vulnerable, our friends at Kudelski security have created a webpage with a POC. If you are vulnerable, you will see a page with a “Hello World” message on it. If not, you will see no such message, only a blank page or a certificate error.