Security News > 2023 > January > Months after NSA disclosed Microsoft cert bug, datacenters remain unpatched

Months after NSA disclosed Microsoft cert bug, datacenters remain unpatched
2023-01-26 02:07

Most Windows-powered datacenter systems and applications remain vulnerable to a spoofing bug in CryptoAPI that was disclosed by the NSA and the UK National Cyber Security Center and patched by Microsoft last year, according to Akamai's researchers.

The bug isn't a remote code execution flaw; it's a vulnerability that allows someone to pretend to be another to an application or operating system, in the context of identity and certificate cryptography checks on Windows.

At the heart of it, Microsoft used the hashing algorithm MD5 to index and compare security certificates.

What's more, Microsoft used the four least-significant bytes of a certificate's MD5 thumbprint to index it.

Also bad: Citrix gateway hole mitigations don't work for older kit It's Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes Top tip, everyone: Chinese hackers are hitting these 25 vulns, so make sure you patch them ASAP, says NSA Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows cert-spoofing bugs, RDP flaws.... It's worth noting that the NSA also found and disclosed to Microsoft a similar CryptoAPI bug in 2020 tracked as CVE-2020-0601 that also could lead to identity spoofing.

The Register asked Microsoft what its takeaways were from the research and whether the IT giant planned to issue a patch for older Windows versions.


News URL

https://go.theregister.com/feed/www.theregister.com/2023/01/26/windows_cryptoapi_bug_akamai/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-01-14 CVE-2020-0601 Improper Certificate Validation vulnerability in multiple products
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
network
low complexity
microsoft golang CWE-295
8.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2820 161 4400
NSA 2 0 2 7 5 14