Security News > 2023 > January > Researchers release PoC exploit for critical Windows CryptoAPI bug (CVE-2022-34689)

Akamai researchers have published a PoC exploit for a critical vulnerability in Windows CryptoAPI, which validates public key certificates.

"An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate," Microsoft said in October 2022, when they announced fixes for vulnerable Windows and Windows Server versions.

"The root cause of the bug is the assumption that the certificate cache index key, which is MD5-based, is collision-free. Since 2009, MD5's collision resistance is known to be broken," researchers Tomer Peled and Yoni Rozenshein explained.

"The attack flow is twofold. The first phase requires taking a legitimate certificate, modifying it, and serving the modified version to the victim. The second phase involves creating a new certificate whose MD5 collides with the modified legitimate certificate, and using the new certificate to spoof the identity of the original certificate's subject."

To exploit CVE-2022-34689, the first certificate, which is generated in a way that facilitates a chosen prefix collision attack and is correctly signed and verified, needs to be cached by the CryptoAPI, so that the second certificate can be promptly trusted because Microsoft does not re-check cached certificates.

The researchers advise admins to apply the latest security patch released by Microsoft on Windows servers and endpoints, and developers to switch to using other WinAPIs to check the validity of a certificate before using it.

News URL

https://www.helpnetsecurity.com/2023/01/26/poc-exploit-cve-2022-34689/