Months after NSA disclosed Microsoft cert bug, datacenters remain unpatched
You know when we all said quit using MD5? We really meant it
Most Windows-powered datacenter systems and applications remain vulnerable to a spoofing bug in CryptoAPI that was disclosed by the NSA and the UK National Cyber Security Center (NCSC) and patched by Microsoft last year, according to Akamai's researchers.
CryptoAPI helps developers secure Windows-based apps using cryptography; the API can be used, for instance, to validate certificates and verify identities.
The vulnerability in question (CVE-2022-34689) can be exploited by miscreants to digitally sign malicious executables in a way that tricks Windows and apps into believing the files are from trusted, legitimate sources and can be opened or installed. Exploiting this will involve getting said files onto victims' machines and run.
Alternatively, an attacker can craft a TLS certificate that appears to belong to another organization and trick an application into trusting the cert, if that application uses CryptoAPI to analyze the certificate. The app believes the attacker is the spoofed organization. The bug isn't a remote code execution flaw; it's a vulnerability that allows someone to pretend to be another to an application or operating system, in the context of identity and certificate cryptography checks on Windows.
Microsoft quietly patched the vulnerability in August 2022; though it was labeled critical, it was given a CVSS severity score of just 7.5 out of 10. Later, when Redmond disclosed the bug in October, the IT giant said the security flaw hadn't been exploited and wasn't publicly known, but it did deem "exploitation more likely."
And now that Akamai has published proof-of-concept code that demonstrates exploitation, Microsoft's fears perhaps inch closer to reality. The PoC demo exploits an old version of Chrome on Windows, which uses CryptoAPI to check certificates, using a man-in-the-middle attack to make the browser think it's talking to the legit server for a HTTPS website but is in fact using a malicious fake. The PoC doesn't get more useful than that.
Akamai also asserted that the vast majority of public-facing Windows-powered servers in datacenters around the world it has studied haven't been patched to close the hole. We note that for the bug to be exploited in practice, there needs to be an application or service running on the box that uses CryptoAPI in a way that opens it up to spoofing. For an attack to succeed, there needs to be
"We found that fewer than one percent of visible devices in data centers are patched, rendering the rest unprotected from exploitation of this vulnerability," Akamai security researchers Tomer Peled and Yoni Rozenshein concluded.
When asked if this means that 99 percent — virtually all — Windows datacenter endpoints remain vulnerable, Peled clarified to The Register:
Yes, we can confirm that from the subset of endpoints we scanned we found that 99% were not patched with the August security patch, but that does not mean that the endpoint is vulnerable because there also needs to be a vulnerable app to take advantage of this exploit.
The researchers said they did poke around for vulnerable applications that use CryptoAPI in a way that is vulnerable to this spoofing attack. "So far, we found that old versions of Chrome (v48 and earlier) and Chromium-based applications can be exploited," the duo wrote. "We believe there are more vulnerable targets in the wild and our research is still ongoing."
There's a video [MP4] you can watch demonstrating exploitation against Chrome but here's the short version of that spoofing attack simply put.
At the heart of it, Microsoft used the hashing algorithm MD5 to index and compare security certificates. It's trivial to break MD5 with what's called a collision: a situation where two different blocks of data result in the same MD5 hash value. What's more, Microsoft used the four least-significant bytes of a certificate's MD5 thumbprint to index it.
So what you need to do is this: trick an application such as Chrome 48, which uses the Windows CryptoAPI, into connecting to a man-in-the-middle server that wants to pretend to be the website the user actually wanted. The malicious server sends the impersonated website's legit HTTPS cert to the browser, which passes it to CryptoAPI for processing and the cert is cached in memory on the user's PC.
The cert is stored in this cache using part of the MD5 thumbprint of the cert's data as the index. The malicious server meanwhile modifies the legit certificate so it can masquerade as the website, and ensures this new tampered-with evil certificate results in the same MD5-computed cache index as the real one. The server causes the browser to ask for the website's certificate again, at which point the server hands over the evil cert.
The CryptoAPI library computes the MD5 fingerprint for the evil cert and its index in the cache, sees that there's already a valid cert in the cache for that index, and thus trusts the evil certificate. Now you've tricked the system into thinking the malicious cert is real. How this is exploited in the real world to cause actual harm... well, you need to be a skilled and determined miscreant, and there are probably easier security weaknesses to target. See the above link to Akamai's write-up for full technical details.
"The root cause of the bug is the assumption that the certificate cache index key, which is MD5-based, is collision-free," the researcher duo explained. "Since 2009, MD5's collision resistance is known to be broken."
- Bad news: Windows security cert SNAFU exploits are all over the web now. Also bad: Citrix gateway hole mitigations don't work for older kit
- It's Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes
- Top tip, everyone: Chinese hackers are hitting these 25 vulns, so make sure you patch them ASAP, says NSA
- Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows cert-spoofing bugs, RDP flaws...
It's worth noting that the NSA also found and disclosed to Microsoft a similar CryptoAPI bug in 2020 tracked as CVE-2020-0601 that also could lead to identity spoofing.
However, while the older vulnerability affected many unpatched systems and was a favorite among Chinese state-sponsored criminals, this latest "CVE-2022-34689 has more prerequisites and thus has a more limited scope of vulnerable targets," according to Akamai.
"That being said, there is still a lot of code that uses this API and might be exposed to this vulnerability, warranting a patch even for discontinued versions of Windows, like Windows 7," the researchers added.
The Register asked Microsoft what its takeaways were from the research and whether the IT giant planned to issue a patch for older Windows versions. A spokesperson instead told us: "We released a security update last year, as part of our normal Update Tuesday process. We recommend that customers apply the update to help stay secure and protected." ®