Security News > 2023 > January > Researchers release PoC exploit for critical Windows CryptoAPI bug (CVE-2022-34689)
Akamai researchers have published a PoC exploit for a critical vulnerability in Windows CryptoAPI, which validates public key certificates.
"An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate," Microsoft said in October 2022, when they announced fixes for vulnerable Windows and Windows Server versions.
"The root cause of the bug is the assumption that the certificate cache index key, which is MD5-based, is collision-free. Since 2009, MD5's collision resistance is known to be broken," researchers Tomer Peled and Yoni Rozenshein explained.
"The attack flow is twofold. The first phase requires taking a legitimate certificate, modifying it, and serving the modified version to the victim. The second phase involves creating a new certificate whose MD5 collides with the modified legitimate certificate, and using the new certificate to spoof the identity of the original certificate's subject."
To exploit CVE-2022-34689, the first certificate, which is generated in a way that facilitates a chosen prefix collision attack and is correctly signed and verified, needs to be cached by the CryptoAPI, so that the second certificate can be promptly trusted because Microsoft does not re-check cached certificates.
The researchers advise admins to apply the latest security patch released by Microsoft on Windows servers and endpoints, and developers to switch to using other WinAPIs to check the validity of a certificate before using it.
News URL
https://www.helpnetsecurity.com/2023/01/26/poc-exploit-cve-2022-34689/
Related news
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
- Exploit available for new critical TeamCity auth bypass bug, patch now (source)
- March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- PoC for critical Arcserve UDP vulnerabilities published (CVE-2024-0799, CVE-2024-0800) (source)
- Researchers Detail Kubernetes Vulnerability That Enables Windows Node Takeover (source)
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- Critical Rust flaw enables Windows command injection attacks (source)
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- Researchers Uncover First Native Spectre v2 Exploit Against Linux Kernel (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-10-11 | CVE-2022-34689 | Authentication Bypass by Spoofing vulnerability in Microsoft products Windows CryptoAPI Spoofing Vulnerability | 7.5 |