Get in Touch
Proof of concept exploit code released for Windows CryptoAPI spoofing vulnerability
Indiscriminate, opportunistic targeting.
Severity level: High – Common Vulnerability Scoring System (CVSS) score: 7.5
A proof of concept (PoC) exploit code was released by Akamai researchers for a critical Windows CryptoAPI vulnerability which was discovered by the National Security Agency (NSA) and the National Cyber Security Centre (NCSC). An OSQuery was also shared to aid in the detection of CryptAPI library versions that are vulnerable to related attacks. The vulnerability is being tracked as CVE-2022-34689 (CVSS score – 7.5), the successful exploitation of which results in MD5-collision certificate spoofing.
The vulnerability allows the verification process of certificates to be manipulated and, as such, this will become a lucrative target for threat actors, as security protection measures can ultimately be bypassed.
The Akami researchers further elaborated on the pre-requisite criteria for a device to be classified as vulnerable in the following statement:
“In order to exploit this vulnerability two things need to be true: The machine needs to be missing the Windows patch that was released in August 2022 and the application must use CryptoAPI for certificate verification, and enable a CryptoAPI feature called ‘end certificate caching’. This was intended as a performance-boosting feature, but a bug in its implementation causes it to be vulnerable.”
Regardless of the fact that the vulnerability was disclosed in August 2022, at the time of writing, less than 1% of visible host machines within datacentres have been patched.
Successful exploitation of the vulnerability will result in the manipulation of an existing public x.509 certificate and subsequent identity spoofing, the ultimate objective of which, being the performance of authentication or code signing as the targeted certificate. As such, threat actors could impact the validation of trust for HTTPS connections and signed executable code, files, or emails, giving the appearance that the target elements originate from a trusted source.
An additional consequence of an exploitation would be the provision of the ability for threat actors to perform man-in-the-middle attacks and decrypt confidential information on user connections to the affected software, such as web browsers that use Windows’ CryptoAPI cryptography library.
Windows have patched the aforementioned vulnerability within the respective product versions. As such, previous versions are vulnerable to the potential exploits.
The following Windows versions are vulnerable to this exploit:
- Windows 7
- Windows 8.1
- Windows Rt 8.1
- Windows 10
- Windows 11
- Windows Server 2008
- Windows Server 2012
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022.
Furthermore, Chrome version 48 and below, as well as Chromium-based applications can potentially be exploited by the vulnerability.
Containment, Mitigations & Remediations
To mitigate the reported vulnerabilities, it is highly recommended that the associated Windows servers and endpoints are upgraded with the latest security patch released by Microsoft.
Furthermore, due to the fact that there is an abundance of code that utilises the API, patching discontinued versions of Windows, such as Windows 7, would also be warranted.
In the case of developers, an additional mitigation strategy would be to utilise alternative WinAPIs in order to verify the validity of certificates, prior to use.
Indicators of Compromise
At the current time, there are no known IOCs available.
Windows possesses 28.41% of the operating system market share. Threat actors generally utilise a combination of factors in the form of probability and asset value to determine which attack surfaces to focus on. As a result, Windows products have become a prime target for threat actors. Due to the fact that Windows machines have become an integral aspect of both personal and business affairs, threat actors will continue to exploit vulnerabilities contained within the associated devices in an attempt to exfiltrate the sensitive data contained therein.
At the time of writing, less than 1% of visible host machines within datacentres have been patched. As such, it is likely that threat actors will attempt to target Windows devices, resulting in it being crucial that the recommended patches are applied as soon as possible.
T1649 – Steal or Forge Authentication Certificates
T1557 – Adversary-in-the-Middle
T1588.003 – Obtain Capabilities: Code Signing Certificates
T1036.001 – Masquerading: Invalid Code Signature
Bleeping Computer news article