This script can detect exploit attempts for CVE-2020-0601. It performs a simple check to see if a known curve is used in a certificate - if this is not the case a notice is raised.
Example notice in notice.log:
1579043477.791522 CHhAvVGS1DHFjwGM9 192.241.209.49 46110 192.241.202.21 4433 F37z6n1B8zn1fZjpj application/x-x509-user-cert 192.241.202.21:4433/tcp tcp CVE_2020_0601::Unknown_X509_Curve ECC certificate with unknown curve; potential CVE-2020-0601 exploit attempt - 192.241.209.49 192.241.202.21 4433 - - Notice::ACTION_LOG 3600.000000 - - - - -
To log suspicious certificates please use
redef CVE_2020_0601::log_certs = T;
in your local.zeek to turn on extraction. Once this is turned on, suspicious certificates will be logged to a new cve-2020-0601-certs.log file.
This script requires an OpenSSL installation that automatically converts explicit curves to names while the certificate is parsed. Many versions of OpenSSL shipped by different Linux distributions do not seem to do that; I am currently a bit unsure of why this is the case.
Using OpenSSL versions with differing behavior will lead to a higher amount of false positives. The tests for this package will check OpenSSL behavior during installation; if the "explicit.zeek" tests fails your version of OpenSSL does not behave as required.
In this case, the script will alert on all certificates that have explicit curve definitions too; these should be very very rare, but are not per se a problem.
There is a second version of this plugin available at https://github.com/0xxon/cve-2020-0601-plugin. The second version uses OpenSSL primitives to directly check a certificate curve. However, the plugin version requires OpenSSL 1.1.x - and requires C++ code to be built and loaded in your Zeek installation.
The advantages of the plugin version at https://github.com/0xxon/cve-2020-0601-plugin are a higher accuracy - with more specific notices that give more information about an exploit attempt that was found. The disadvantages mostly are higher installation friction.
While this plugin successfully detects known POC code, it is possible (but unlikely) that another variant of the attack might not be detected.