Microsoft’s Windows CryptoAPI system architecture has once again discovered a security vulnerability. Although the vulnerability was blocked as early as August last year, the technology company Akamai pointed out that there are still a large number of devices on the network that have vulnerabilities, and they have released a proof of concept for exploiting the vulnerability ( PoC), if the vulnerability continues to exist, it will allow hackers to install various malware through fake certificates.
CryptoAPI is a cryptographic function added by Microsoft to the Windows operating system. It can be used to encrypt or decrypt data, and verify whether the certificate of the downloaded software is consistent with the developer’s certificate to prevent counterfeiting. However, the British National Security Agency discovered a vulnerability in Windows CryptoAPI last year (CVE-2022-34689), which allows hackers to forge the MD5 value in software messages, successfully pretending that malware is software released by other trusted organizations, or using an intermediate Attackers can intercept incoming and outgoing messages and decrypt them.
Akamai researchers pointed out that through this vulnerability, hackers can affect the trustworthiness of HTTPS encrypted connections, signed code, files, and emails, causing Windows operating systems and other network security tools to fail to detect suspicious places and successfully authorize malware installation. The researchers also pointed out that less than 1% of the data center devices found on the network have installed security updates. In addition, Chrome v48 or earlier versions, as well as other browsers that use Chromium as the underlying technology, all have the same vulnerability, and the warning can trigger Very serious security incident.
The researcher added that in addition to servers that are publicly searchable on the Internet, other Windows 7 operating system devices and applications that have stopped technical support still use this problematic API. Therefore, IT administrators and users are strongly advised to immediately Install Windows updates from Microsoft to protect servers and endpoint devices. As for developers, researchers suggest that when using other WinAPI in the future, the validity of the certificate must be double-confirmed, for example, you can refer to CertVerifyCertificateChainPolicy.
This is not the first time that the Windows CryptoAPI spoofing vulnerability has occurred. The National Security Agency of the United States discovered similar attacks more than two years ago, and even security agency researchers released the means of exploiting the vulnerability within 24 hours after the report was published. And program codes, indirectly forcing the US CISA to urgently order federal agencies to plug all loopholes in endpoint devices within ten working days, which shows that the severity is quite high.
Source: https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-windows-cryptoapi-spoofing-bug/
Related article:[Verification Vulnerabilities]Microsoft Security Certificate Untrusted Adding Drivers to Easily Obtain the Highest Privilege