Proof-of-concept (Poc) code released for currently patched high-severity security flaw in Windows CryptoAPI reported to Microsoft last year by US National Security Agency (NSA) and UK National Cyber Security Center (NCSC) it was done. .
tracked as CVE-2022-34689 (CVSS score: 7.5), the spoofing vulnerability was addressed by the tech giant as part of Patch Tuesday updates released in August 2022, but two months later on October 11, 2022 was published on
“An attacker may manipulate an existing public x.509 certificate to disguise its identity and perform actions such as authentication and code signing as the target’s certificate,” Microsoft said in an advisory statement at the time. said in Li.
Windows CryptoAPI provides an interface for developers to add cryptographic services to their applications, such as data encryption/decryption and authentication using digital certificates.
The web security company Akamai, which published the PoC, clarified the fact that CVE-2022-34689 was caused by vulnerable code designed to accept x.509 certificates, performing checks that relied solely on the certificate’s MD5 fingerprint. said to be rooted in
MD5, the message digest algorithm used for hashing, is essentially cryptographically broken as of December 2008. This is because of the risk of birthday attacks (cryptanalysis used to find hash function collisions).
The net effect of this shortcoming is that a malicious actor provides a modified version of a legitimate certificate to the victim’s app, creates a new certificate whose MD5 hash collides with the fraudulent certificate, and is to impersonate using original entity.
In other words, a malicious intruder could use this vulnerability as a weapon to perform a Mallory-in-the-middle (MitM) attack, infecting users with older versions of Google Chrome (versions 48 and earlier). website. The attacker chose it for the simple reason that the affected version of her web browser trusts the malicious certificate.
“Certificates play an important role in online identity verification, making this vulnerability an advantage for attackers,” Akamai said.
Although the vulnerability’s scope is limited, the Massachusetts-based company said, “There is still a lot of code that uses this API and could be exposed to this vulnerability. Obsolete versions of Windows should also be patched.”
