Researchers release exploit for Microsoft critical bug
Akamai researchers have published a proof-of-concept (PoC) for a vulnerability in a Microsoft tool that enables the Windows application development interface to deal with cryptography.
The vulnerability, CVE-2022-34689, was discovered by the National Cyber Security Centre and the National Security Agency of the United Kingdom. It affects the CryptoAPI tool and allows an attacker to pose as a legitimate entity. The vulnerability, which has a vulnerability score of 7.5 out of 10, was patched in August 2022 but was only disclosed by Microsoft in October.
The premise that the credential cache index key, which is MD5-based, is collision-free is the underlying cause of the bug. MD5’s collision resistance has been known to be broken since 2009. The attack flow is dual in nature. The first step is to take a legitimate certificate, modify it, and then serve the modified version to the victim. The second phase entails creating a new certificate whose MD5 matches that of the modified legitimate certificate, and then using the new certificate to impersonate the subject of the original certificate.
“An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate,” Microsoft said in October 2022, when they announced fixes for vulnerable Windows and Windows Server versions.
To exploit CVE-2022-34689, the CryptoAPI must cache the first certificate (with the same MD5 thumbprint as the previous one) so that the second certificate (with the same MD5 thumbprint as the previous one) can be trusted immediately because Microsoft does not re-check cached certificates.
The Windows CryptoAPI provides an interface for developers to add cryptographic services to their applications, such as data encryption/decryption and authentication via digital certificates.
It is therefore important that organizations install the latest update in order to ensure that they are not vulnerable to flaws that can be exploited by attackers.
The sources for this piece include an article in TheHackerNews.