Exploit released for critical Windows CryptoAPI spoofing flaw

Proof of concept exploit code has been released by Akamai researchers for a critical Windows CryptoAPI vulnerability discovered by the NSA and the UK’s NCSC, which allows MD5 collision certificate spoofing.

Tracked as CVE-2022-34689, this security flaw was fixed with security updates released in August 2022, but Microsoft didn’t disclose this until October when the announcement was first published.

“An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code-signing as the targeted certificate,” Microsoft explains.

Unauthorized attackers can exploit this flaw (tagged by Redmond as critical) in low-complexity attacks.

Today, security researchers with cloud security firm Akamai published a proof of concept (PoC) exploit and shared an OSQuery to help defenders discover CryptoAPI library versions that are vulnerable to attack.

“We have searched for applications in the wild that use the CryptoAPI in a way that is vulnerable to this spoofing attack. So far, we have found that old versions of Chrome (v48 and earlier) and Chromium-based applications can be exploited, ” the researchers said.

“We believe there are more vulnerable targets in the wild, and our research is still ongoing. We found that less than 1% of visible devices in data centers are patched, leaving the rest unprotected from exploiting this vulnerability .”

By exploiting this vulnerability, attackers could affect the validation of trust for HTTPS connections and signed executable code, files, or emails.

For example, threat actors could take advantage of this vulnerability to sign malicious executable files with a forged code-signing certificate, giving the impression that the file is from a trusted source.

As a result, the targets would have no indication that the file is actually malicious, as the digital signature appears to come from a reputable and trustworthy provider.

Should an attack using a CVE-2022-34689 exploit succeed, it could also allow attackers to perform man-in-the-middle attacks and decrypt confidential information about user connections to the affected software, such as web browsers using Windows ‘ CryptoAPI cryptography library.

“There is still a lot of code that uses this API and could be exposed to this vulnerability, which warrants a patch, even for discontinued versions of Windows, like Windows 7. We advise you to patch your Windows servers and endpoints with the latest security patch released by Microsoft,” Akamai said.

“For developers, another option to mitigate this vulnerability is to use other WinAPIs to double-check the validity of a certificate before using it, such as CertVerifyCertificateChainPolicy. Keep in mind that applications that do not use the end-certificate cache do not are vulnerable.”

The NSA reported another Windows CryptoAPI spoofing flaw (CVE-2020-0601) two years ago, with a much broader scope and affecting more potentially vulnerable targets.

PoC exploit code for the vulnerability, now known as CurveBall, was released within 24 hours by Swiss cybersecurity outfit Kudelski Security and security researcher Oliver Lyak.

At the time, CISA ordered federal agencies to patch all affected endpoints within ten business days in its second-ever emergency directive.