Most Windows Data Centers Still Vulnerable to CryptoAPI Spoofing Bug

Researchers from Akamai say that most Windows data centers have not patched systems against a critical spoofing vulnerability in CryptoAPI. The US National Security Agency (NSA) and the UK National Cybersecurity Centre (NCSC) disclosed the vulnerability to Microsoft and the issue was patched in August 2022. In the update guide for the vulnerability (CVE-2022-34689), Microsoft writes, “An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate.”

Note

• What’s changed here is that Akamai published a PoC for exploiting this flaw, which means if you were avoiding deploying the fix because of concerns with altering the CryptoAPI, you need to move forward. Research found the one app vulnerable to this attack was Chrome v48, which is old. Applications that don’t use certificate caching are not impacted. Roll out the update.
• This is an example of outdated use of MD5 hashes and not all that easy to exploit before this proof of concept code came out – the CVSS base score was relatively low (6.5-7.5). But, a nice New Year’s resolution would be to get IT to commit to faster patching of all data center software – with the ease of cloud-based patch QA, lowering data center time to patch from 6 months to 3 months would be a nice raising of the bar.

Read more in

• Windows CryptoAPI Spoofing Vulnerability
• Exploiting a Critical Spoofing Vulnerability in Windows CryptoAPI