Researchers have released a PoC Exploit for Windows CryptoAPI Bug discovered by the NSA

January 26, 2023Ravi LakshmananEncryption / Windows Security

A proof-of-concept (Poc) code has been released for a now-corrected, severe security flaw in the Windows CryptoAPI that was reported to Microsoft last year by the US National Security Agency (NSA) and the UK’s National Cyber ​​Security Center (NCSC).

track as CVE-2022-34689 (CVSS Score: 7.5), the deceptive vulnerability was addressed by the tech giant as part of its Patch Tuesday updates released in August 2022, but was publicly disclosed just two months later on October 11, 2022.

An attacker can manipulate the existing audience X.509 certificate to impersonate them and perform actions such as authentication or code signing as the target certificate,” Microsoft He said In an advisory report issued at the time.

the Windows CryptoAPI It provides an interface for developers to add cryptographic services such as data encryption/decryption and authentication using digital certificates to their applications.

A Windows CryptoAPI spoofing vulnerability

Akamai web security company released PoC, He said CVE-2022-34689 has its roots in the fact that a vulnerable piece of code designed to accept an x.509 certificate performed an inspection based solely on the MD5 fingerprint of the certificate.

MD5, the message digest algorithm used for hashing, is basically Coded broken As of December 2008 due to Risk Christmas attackswhich is an analytical method used to find collisions in a hash function.

A Windows CryptoAPI spoofing vulnerability

The net effect of this shortcoming is that it opens the door for a bad actor to provide a modified version of a legitimate certificate to the victim’s application, then create a new certificate whose MD5 hash conflicts with the forged certificate and use it to masquerade as the original entity.

In other words, the bug could be weaponized by a rogue hacker to represent Mallory in the middle (MitM) attacks and redirects users who rely on an older version of Google Chrome (v48 and earlier) to a random website chosen by the actor simply because the sensitive version of the web browser trusts the malicious certificate.

“Certificates play a key role in verifying identity online, which makes this vulnerability profitable for attackers,” said Akamai.

Although the flaw has a limited scope, the Massachusetts-based company noted that “there is still a lot of code that uses this API and may be exposed to this vulnerability, which warrants a patch even for discontinued versions of Windows, Like Windows 7.”

Found this article interesting? Follow us Twitter And linkedin To read more of our exclusive content.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top