Researchers Release PoC Exploit for Windows CryptoAPI Bug Discovered by NSA

Fnord666 writes:

Researchers Release PoC Exploit for Windows CryptoAPI Bug Discovered by NSA

Proof-of-concept (Poc) code has been released for a now-patched high-severity security flaw in the Windows CryptoAPI that the U.S. National Security Agency (NSA) and the U.K. National Cyber Security Centre (NCSC) reported to Microsoft last year.

Tracked asCVE-2022-34689(CVSS score: 7.5), the spoofing vulnerability was addressed by the tech giant as part of Patch Tuesday updates released in August 2022, but was only publicly disclosed two months later on October 11, 2022.

"An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate," Microsoft said in an advisory released at the time.

CryptoAPI bug makes 99% of Windows servers vulnerable

According to Redmond's security bulletin, CVE-2022-34689 can be exploited to spoof an attacker's true identity and perform actions "such as authentication or code signing as the targeted certificate."

As explained by Akamai, the gist of the issue is that CryptoAPI makes the assumption that "the certificate cache index key, which is MD5-based, is collision-free." MD5 has been known for being vulnerable to collision issues - two chunks of data which happen to have the very same MD5 hash - for a long time now, but old software versions using CryptoAPI are still vulnerable to the flaw.

Read more of this story at SoylentNews.